Red Hat SummitChapter 5. OpenShift Service Mesh and cert-manager
The cert-manager tool provides a unified API to manage X.509 certificates for applications in a Kubernetes environment. You can use cert-manager to integrate with public or private key infrastructures (PKI) and automate certificate renewal.
5.1. About the cert-manager Operator istio-csr agent
The cert-manager Operator for Red Hat OpenShift enhances certificate management for securing workloads and control plane components in Red Hat OpenShift Service Mesh and Istio. It supports issuing, delivering, and renewing certificates used for mutual Transport Layer Security (mTLS) through cert-manager issuers.
By integrating Istio with the
istio-csrThe cert-manager Operator for Red Hat OpenShift must be installed before you create and install your
Istio5.1.1. Integrating Service Mesh with the cert-manager Operator by using the istio-csr agent
You can integrate the cert-manager Operator with OpenShift Service Mesh by deploying the
istio-csrIstioistio-csrissuerPrerequisites
- You have installed the cert-manager Operator for Red Hat OpenShift version 1.15.1.
- You are logged in to OpenShift Container Platform 4.14 or later.
- You have installed the OpenShift Service Mesh Operator.
-
You have a instance running in the cluster.
IstioCNI -
You have installed the command.
istioctl
Procedure
Create the
namespace by running the following command:istio-system$ oc create namespace istio-systemPatch the cert-manager Operator to install the
agent by running the following command:istio-csr$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator \ --type='merge' -p \ '{"spec":{"config":{"env":[{"name":"UNSUPPORTED_ADDON_FEATURES","value":"IstioCSR=true"}]}}}'Create the root certificate authority (CA) issuer by creating an
object for theIssueragent:istio-csrCreate a new project for installing the
agent by running the following command:istio-csr$ oc new-project istio-csrCreate an
object similar to the following example:IssuerNoteThe
issuer is intended for demonstration, testing, or proof-of-concept environments. For production deployments, use a secure and trusted CA.selfSignedExample
issuer.yamlfileapiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned namespace: istio-system spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: istio-ca namespace: istio-system spec: isCA: true duration: 87600h secretName: istio-ca commonName: istio-ca privateKey: algorithm: ECDSA size: 256 subject: organizations: - cluster.local - cert-manager issuerRef: name: selfsigned kind: Issuer group: cert-manager.io --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: istio-ca namespace: istio-system spec: ca: secretName: istio-caCreate the objects by running the following command:
$ oc apply -f issuer.yamlWait for the
certificate to contain the "Ready" status condition by running the following command:istio-ca$ oc wait --for=condition=Ready certificates/istio-ca -n istio-system
Create the
custom resource:IstioCSRCreate the
custom resource similar to the following example:IstioCSRExample
istioCSR.yamlfileapiVersion: operator.openshift.io/v1alpha1 kind: IstioCSR metadata: name: default namespace: istio-csr spec: istioCSRConfig: certManager: issuerRef: name: istio-ca kind: Issuer group: cert-manager.io istiodTLSConfig: trustDomain: cluster.local istio: namespace: istio-systemCreate the
agent by by running the following command:istio-csr$ oc create -f istioCSR.yamlVerify that the
deployment is ready by running the following command:istio-csr$ oc get deployment -n istio-csr
Install the
resource:istioNoteThe configuration disables the built-in CA server for Istio and forwards certificate signing requests from
to theistiodagent. Theistio-csragent obtains certificates for bothistio-csrand mesh workloads from the cert-manager Operator. TheistiodTLS certificate that is generated by theistiodagent is mounted into the pod at a known location for use.istio-csrCreate the
object similar to the following example:IstioExample
istio.yamlfileapiVersion: sailoperator.io/v1 kind: Istio metadata: name: default spec: version: v1.24-latest namespace: istio-system values: global: caAddress: cert-manager-istio-csr.istio-csr.svc:443 pilot: env: ENABLE_CA_SERVER: "false"Create the
resource by running the following command:Istio$ oc apply -f istio.yamlVerify that the
resource displays the "Ready" status condition by running the following command:istio$ oc wait --for=condition=Ready istios/default -n istio-system
5.1.2. Verifying Service Mesh with the cert-manager Operator using the istio-csr agent
You can use the sample
httpbinsleepCreate the namespaces:
Create the
namespace by running the following command:apps-1$ oc new-project apps-1Create the
namespace by running the following command:apps-2$ oc new-project apps-2
Add the
label on the namespaces:istio-injection=enabledAdd the
label on theistio-injection=enablednamespace by running the following command:apps-1$ oc label namespaces apps-1 istio-injection=enabledAdd the
label on theistio-injection=enablednamespace by running the following command:apps-2$ oc label namespaces apps-2 istio-injection=enabled
Deploy the
app in the namespaces:httpbinDeploy the
app in thehttpbinnamespace by running the following command:apps-1$ oc apply -n apps-1 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yamlDeploy the
app in thehttpbinnamespace by running the following command:apps-2$ oc apply -n apps-2 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yaml
Deploy the
app in the namespaces:sleepDeploy the
app in thesleepnamespace by running the following command:apps-1$ oc apply -n apps-1 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yamlDeploy the
app in thesleepnamespace by running the following command:apps-2$ oc apply -n apps-2 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yaml
Verify that the created apps have sidecars injected:
Verify that the created apps have sidecars injected for
namespace by running the following command:apps-1$ oc get pods -n apps-1Verify that the created apps have sidecars injected for
namespace by running the following command:apps-2$ oc get pods -n apps-2
Create a mesh-wide strict mutual Transport Layer Security (mTLS) policy similar to the following example:
NoteEnabling
in strict mTLS mode verifies that certificates are distributed correctly and that mTLS communication functions between workloads.PeerAuthenticationExample
peer_auth.yamlfileapiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system spec: mtls: mode: STRICTApply the mTLS policy by running the following command:
$ oc apply -f peer_auth.yamlVerify that the
app can access theapps-1/sleepservice by running the following command:apps-2/httpbin$ oc -n apps-1 exec "$(oc -n apps-1 get pod \ -l app=sleep -o jsonpath={.items..metadata.name})" \ -c sleep -- curl -sIL http://httpbin.apps-2.svc.cluster.local:8000Example output
HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: * content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com content-type: text/html; charset=utf-8 date: Wed, 18 Jun 2025 09:20:55 GMT x-envoy-upstream-service-time: 14 server: envoy transfer-encoding: chunkedVerify that the
app can access theapps-2/sleepservice by running the following command:apps-1/httpbin$ oc -n apps-2 exec "$(oc -n apps-1 get pod \ -l app=sleep -o jsonpath={.items..metadata.name})" \ -c sleep -- curl -sIL http://httpbin.apps-2.svc.cluster.local:8000Example output
HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: * content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com content-type: text/html; charset=utf-8 date: Wed, 18 Jun 2025 09:21:23 GMT x-envoy-upstream-service-time: 16 server: envoy transfer-encoding: chunkedVerify that the
workload certificate matches as expected by running the following command:httpbin$ istioctl proxy-config secret -n apps-1 \ $(oc get pods -n apps-1 -o jsonpath='{.items..metadata.name}' --selector app=httpbin) \ -o json | jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' \ | base64 --decode | openssl x509 -text -nooutExample output
... Issuer: O = cert-manager + O = cluster.local, CN = istio-ca ... X509v3 Subject Alternative Name: URI:spiffe://cluster.local/ns/apps-1/sa/httpbin
5.1.3. Uninstalling Service Mesh with the cert-manager Operator by using the istio-csr agent
You can uninstall the cert-manager Operator with OpenShift Service Mesh by completing the following procedure. Before you remove the following resources, verify that no Red Hat OpenShift Service Mesh or Istio components reference the
Istio-CSRProcedure
Remove the
custom resource by running the following command:IstioCSR$ oc -n <istio-csr_project_name> delete istiocsrs.operator.openshift.io defaultRemove the related resources:
List the cluster scoped-resources by running the following command:
$ oc get clusterrolebindings,clusterroles -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr"Save the names of the listed resources for later reference.
List the resources in
agent deployed namespace by running the following command:istio-csr$ oc get certificate,deployments,services,serviceaccounts -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" -n <istio_csr_project_name>Save the names of the listed resources for later reference.
List the resources in Red Hat OpenShift Service Mesh or Istio deployed namespaces by running the following command:
$ oc get roles,rolebindings \ -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" \ -n <istio_csr_project_name>Save the names of the listed resources for later reference.
For each resource listed in previous steps, delete the resources by running the following command:
$ oc -n <istio_csr_project_name> delete <resource_type>/<resource_name>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}