Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. OpenShift Service Mesh and cert-manager

The cert-manager tool provides a unified API to manage X.509 certificates for applications in a Kubernetes environment. You can use cert-manager to integrate with public or private key infrastructures (PKI) and automate certificate renewal.

The cert-manager tool ensures the certificates are valid and up-to-date by attempting to renew certificates at a configured time before they expire.

The cert-manager Operator for Red Hat OpenShift enhances certificate management for securing workloads and control plane components in Red Hat OpenShift Service Mesh and Istio. It supports issuing, delivering, and renewing certificates used for mutual Transport Layer Security (mTLS) through cert-manager issuers.

By integrating Istio with the istio-csr agent, which the cert-manager Operator manages, you enable Istio to request and manage the certificates directly. The integration simplifies security configuration and centralizes certificate management within the cluster.

Note

You must install the cert-manager Operator for Red Hat OpenShift before you create and install your Istio resource.

4.1.1. Installing cert-manager
Copy link

Integrate the cert-manager Operator with OpenShift Service Mesh by deploying the istio-csr agent and configuring an Istio resource to process certificate signing requests for workloads and the control plane.

Prerequisites

  • You have installed the cert-manager Operator for Red Hat OpenShift version 1.15.1.
  • You have logged in to OpenShift Container Platform 4.14 or later.
  • You have installed the OpenShift Service Mesh Operator.
  • You have a IstioCNI instance running in the cluster.
  • You have installed the istioctl command.

Procedure

  1. Create the istio-system namespace by running the following command: 

    $ oc create namespace istio-system

  2. Create the root issuer by creating an Issuer object in a YAML file.

    1. Create an Issuer object similar to the following example:

      Note

      The selfSigned issuer serves demonstration purposes, testing, or proof-of-concept environments. For production deployments, use a secure and trusted CA. 

      apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: istio-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: istio-ca
    namespace: istio-system
spec:
  isCA: true
  duration: 87600h # 10 years
  secretName: istio-ca
  commonName: istio-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  subject:
    organizations:
      - cluster.local
      - cert-manager
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  ca:
    secretName: istio-ca
---

    2. Create the objects by running the following command: 

      $ oc apply -f issuer.yaml

    3. Wait for the istio-ca certificate to contain the "Ready" status condition by running the following command: 

      $ oc wait --for=condition=Ready certificates/istio-ca -n istio-system

  3. Copy the istio-ca certificate to the cert-manager namespace so it can be used by istio-csr: 

    apiVersion: operator.openshift.io/v1alpha1
kind: IstioCSR
metadata:
  name: default
  namespace: istio-csr
spec:
  istioCSRConfig:
    certManager:
      issuerRef:
        name: istio-ca
        kind: Issuer
        group: cert-manager.io
    istiodTLSConfig:
      trustDomain: cluster.local
    istio:
      namespace: istio-system

    1. Create the istio-csr agent by running the following command: 

      $ oc create -f istioCSR.yaml

    2. Verify that the istio-csr deployment is ready by running the following command: 

      $ oc get deployment -n istio-csr

  4. Install the istio resource:

    Note

    The configuration disables the built-in CA server for Istio and forwards certificate signing requests from istiod to the istio-csr agent. The istio-csr agent obtains certificates for both istiod and mesh workloads from the cert-manager Operator. The istio-csr agent generates the istiod TLS certificate, and the system mounts it into the pod at a known location.

    1. Create the Istio object similar to the following example: 

      apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.24-latest
  namespace: istio-system
  values:
    global:
      caAddress: cert-manager-istio-csr.istio-csr.svc:443
    pilot:
      env:
        ENABLE_CA_SERVER: "false"

    2. Create the Istio resource by running the following command: 

      $ oc apply -f istio.yaml

    3. Verify that the istio resource displays the "Ready" status condition by running the following command: 

      $ oc get -n istio-system secret istio-ca -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.pem

    4. Create a secret from the local certificate file in the cert-manager namespace by running the following command: 

      $ oc create secret generic -n cert-manager istio-root-ca --from-file=ca.pem=ca.pem
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top