Skip to content

Instantly share code, notes, and snippets.

@amcginlay

amcginlay/istio-csr-with-tlspk.md

Last active May 5, 2023 19:03
Show Gist options
  • Save amcginlay/6a1a1633f923b3f53783a38699357c1f to your computer and use it in GitHub Desktop.
Save amcginlay/6a1a1633f923b3f53783a38699357c1f to your computer and use it in GitHub Desktop.
Download ZIP
istio-csr-with-tlspk.md
Raw
istio-csr-with-tlspk.md

Using istio-csr with TLSPK

Download the tlspk-helper script and istioctl CLI.

curl -fsSLO https://venafi-ecosystem.s3.amazonaws.com/tlspk/v1/tlspk-helper.sh && chmod 700 tlspk-helper.sh
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.17.2 sh -
sudo mv istio-*/bin/istioctl /usr/local/bin

Create a local K8s cluster.

kind create cluster --name k8s-$(date +"%y%m%d%H%M") --image kindest/node:v1.26.3

Set the TLSPK credentials. The quotes around the secret help to suppress control chars.

export [email protected]
export TLSPK_SA_USER_SECRET='<SECRET>'

Deploy cert-manager via the TLSPK operator.

./tlspk-helper.sh deploy-agent --auto-approve
./tlspk-helper.sh install-operator --auto-approve
./tlspk-helper.sh deploy-operator-components --auto-approve

Create the istio-system namespace.

kubectl create namespace istio-system

Patch the installation to include the selfsigned and CA Issuers in istio-system.

kubectl patch installation jetstack-secure --type merge --patch-file <(cat <<EOF
spec:
  istioCSR:
    issuerRef:
      name: istio-ca
    istioNamespace: istio-system
  issuers:
  - name: istio-ca
    namespace: istio-system
    ca:
      secretName: ca-secret
      selfSignedCA:
        commonName: istio-ca
        subject:
          organizations:
          - cluster.local
          - cert-manager
EOF
)

Install Istio. The adaptations (to support TLSPK) stem from cert-manager running in the "jetstack-secure" namespace.

istioctl x precheck
istioctl install -y -f <( \
  curl -sSL https://raw.githubusercontent.com/cert-manager/website/master/content/docs/tutorials/istio-csr/example/istio-config-getting-started.yaml | \
  sed 's/cert-manager-istio-csr.cert-manager.svc/cert-manager-istio-csr.jetstack-secure.svc/g' #### TLSPK ####
)

Watch for CertificateRequest activity in the istio-csr namespace. This activity is transient/short-lived, hence the --watch flag. To see longer-lived CRs, consider the IstioCSR --preserve-certificate-requests flag (non-prod only).

kubectl  -n istio-system get certificaterequests --watch

Create a small web-server deployment in a meshed namespace and observe the above "watch".

kubectl create namespace demos
kubectl label namespace/demos istio-injection=enabled

kubectl -n demos create deployment test-app --image caddy

Any time pods from this deployment are created, new CertificateRequests appear in the "watch", validating that IstioCSR is functioning. Restart the deployment to see more istioCSR activity.

kubectl -n demos rollout restart deployment test-app
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment