Setup Istio to use CSR operator as external CA
Streaming Data Manager allows you to use a separate CSR operator to provide certificates to Istio.
-
Install CSR-operator. CSR-operator runs in privateCA signer mode and it generates the CA key and CA certificate into a secret by default. The name of the secret is “csr-operator-cacerts” and it can be found in the namespace where the CSR-operator has been installed.
smm sdm csr install --namespace <csr-operator-namespace>
-
Configure Istio to use CSR-operator as an external CA. The CSR-operator signs certificate signing requests which are generated by Istio.
-
From the secret generated automatically by the CSR-operator (“csr-operator-cacerts” in the “csr-operator-system” namespace), create a new secret into the namespace where Istio is installed (by default, it is “istio-system”), because Istio requires that secret in another format without the CA private key.
kubectl create -f - <<EOF apiVersion: v1 kind: Secret metadata: name: external-ca-cert namespace: istio-system data: root-cert.pem: <ca_crt.pem-from-csr-operator-cacerts> EOF
-
Deploy the IstioControlPlane CR into your cluster.
kubectl create -f - <<EOF apiVersion: servicemesh.cisco.com/v1alpha1 kind: IstioControlPlane metadata: name: icp-sample-v115x namespace: istio-system labels: banzaicloud.io/managed-by: supertubes spec: version: "1.15.3" mode: ACTIVE distribution: cisco meshID: sdm clusterID: <identifier that uniquely identifies the Kubernetes cluster where this istio control plane is deployed to (for example, UID of the kube-system namespace)> k8sResourceOverlays: - groupVersionKind: group: apps kind: Deployment version: v1 objectKey: name: istiod-icp-sample-v115x patches: - parseValue: true path: /spec/template/spec/volumes/- type: replace value: | name: external-ca-cert secret: secretName: external-ca-cert optional: true - parseValue: true path: /spec/template/spec/containers/name=discovery/volumeMounts/- type: replace value: | name: external-ca-cert mountPath: /etc/external-ca-cert readOnly: true # Amend ClusterRole to add permission for istiod to approve certificate signing by custom signer - groupVersionKind: group: rbac.authorization.k8s.io kind: ClusterRole version: v1 objectKey: name: istiod-icp-sample-v115x-istio-system patches: - parseValue: true path: /rules/- type: replace value: | apiGroups: - certificates.k8s.io resourceNames: - csr.banzaicloud.io/privateca resources: - signers verbs: - approve containerImageConfiguration: imagePullSecrets: - name: registry-creds imagePullPolicy: Always proxy: image: 033498657557.dkr.ecr.us-east-2.amazonaws.com/banzaicloud/istio-proxyv2:v1.15.3-bzc-kafka.1 meshConfig: protocolDetectionTimeout: 5s enableAutoMtls: true defaultConfig: proxyMetadata: PROXY_CONFIG_XDS_AGENT: "true" telemetryV2: enabled: true istiod: deployment: image: 033498657557.dkr.ecr.us-east-2.amazonaws.com/banzaicloud/istio-pilot:v1.15.3-bzc.2 env: # Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy - name: PILOT_SKIP_VALIDATE_TRUST_DOMAIN value: "true" # Indicate to Istiod that we use an external signer (likely to be removed and added to mesh config - from upstream Istio) - name: EXTERNAL_CA value: ISTIOD_RA_KUBERNETES_API # Kuberntes CA signer type (likely to be removed and added to mesh config - from upstream Istio) - name: K8S_SIGNER value: csr.banzaicloud.io/privateca EOF
-