Setup Istio to use CSR operator as external CA

Streaming Data Manager allows you to use a separate CSR operator to provide certificates to Istio.

  1. Install CSR-operator. CSR-operator runs in privateCA signer mode and it generates the CA key and CA certificate into a secret by default. The name of the secret is “csr-operator-cacerts” and it can be found in the namespace where the CSR-operator has been installed.

    supertubes csr install --namespace <csr-operator-namespace>
    
  2. Configure Istio to use CSR-operator as an external CA. The CSR-operator signs certificate signing requests which are generated by Istio.

    1. From the secret generated automatically by the CSR-operator (“csr-operator-cacerts” in the “csr-operator-system” namespace), create a new secret into the namespace where Istio is installed (by default, it is “istio-system”), because Istio requires that secret in another format without the CA private key.

      kubectl create -f - <<EOF
      apiVersion: v1
      kind: Secret
      metadata:
        name: external-ca-cert
        namespace: istio-system
      data:
        root-cert.pem: <ca_crt.pem-from-csr-operator-cacerts>
      EOF
      
    2. Deploy the IstioControlPlane CR into your cluster.

      kubectl create -f - <<EOF
      apiVersion: servicemesh.cisco.com/v1alpha1
      kind: IstioControlPlane
      metadata:
        name: icp-sample-v115x
        namespace: istio-system
        labels:
          banzaicloud.io/managed-by: supertubes
      spec:
        version: "1.15.3"
        mode: ACTIVE
        distribution: cisco
        meshID: sdm
        clusterID: <identifier that uniquely identifies the Kubernetes cluster where this istio control plane is deployed to (for example, UID of the kube-system namespace)>
        k8sResourceOverlays:
        - groupVersionKind:
            group: apps
            kind: Deployment
            version: v1
          objectKey:
            name: istiod-icp-sample-v115x
          patches:
          - parseValue: true
            path: /spec/template/spec/volumes/-
            type: replace
            value: |
              name: external-ca-cert
              secret:
                secretName: external-ca-cert
                optional: true        
          - parseValue: true
            path: /spec/template/spec/containers/name=discovery/volumeMounts/-
            type: replace
            value: |
              name: external-ca-cert
              mountPath: /etc/external-ca-cert
              readOnly: true        
        # Amend ClusterRole to add permission for istiod to approve certificate signing by custom signer
        - groupVersionKind:
            group: rbac.authorization.k8s.io
            kind: ClusterRole
            version: v1
          objectKey:
            name: istiod-icp-sample-v115x-istio-system
          patches:
          - parseValue: true
            path: /rules/-
            type: replace
            value: |
              apiGroups:
              - certificates.k8s.io
              resourceNames:
              - csr.banzaicloud.io/privateca
              resources:
              - signers
              verbs:
              - approve        
        containerImageConfiguration:
          imagePullSecrets:
          - name: registry-creds
          imagePullPolicy: Always
        proxy:
          image: 033498657557.dkr.ecr.us-east-2.amazonaws.com/banzaicloud/istio-proxyv2:v1.15.3-bzc-kafka.1
        meshConfig:
          protocolDetectionTimeout: 5s
          enableAutoMtls: true
          defaultConfig:
            proxyMetadata:
              PROXY_CONFIG_XDS_AGENT: "true"
        telemetryV2:
          enabled: true
        istiod:
          deployment:
            image: 033498657557.dkr.ecr.us-east-2.amazonaws.com/banzaicloud/istio-pilot:v1.15.3-bzc.2
            env:
            # Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
            - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN
              value: "true"
            # Indicate to Istiod that we use an external signer (likely to be removed and added to mesh config - from upstream Istio)
            - name: EXTERNAL_CA
              value: ISTIOD_RA_KUBERNETES_API
            # Kuberntes CA signer type (likely to be removed and added to mesh config - from upstream Istio)
            - name: K8S_SIGNER
              value: csr.banzaicloud.io/privateca
      EOF