Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 4. OpenShift Service Mesh and cert-manager

The cert-manager tool is a solution for X.509 certificate management on Kubernetes. It delivers a unified API to integrate applications with private or public key infrastructure (PKI), such as Vault, Google Cloud Certificate Authority Service, Let’s Encrypt, and other providers.

Important

The cert-manager tool must be installed before you create and install your Istio resource.

The cert-manager tool ensures the certificates are valid and up-to-date by attempting to renew certificates at a configured time before they expire.

4.1. About integrating Service Mesh with cert-manager and istio-csr
Copiar enlace

The cert-manager tool provides integration with Istio through an external agent called istio-csr. The istio-csr agent handles certificate signing requests (CSR) from Istio proxies and the controlplane in the following ways:

  1. Verifying the identity of the workload.
  2. Creating a CSR through cert-manager for the workload.

The cert-manager tool then creates a CSR to the configured CA Issuer, which signs the certificate.

Note

Red Hat provides support for integrating with istio-csr and cert-manager. Red Hat does not provide direct support for the istio-csr or the community cert-manager components. The use of community cert-manager shown here is for demonstration purposes only.

Prerequisites

  • One of these versions of cert-manager:

    • Red Hat cert-manager Operator 1.10 or later
    • community cert-manager Operator 1.11 or later
    • cert-manager 1.11 or later
  • Red Hat OpenShift Service Mesh 3.0 or later
  • An IstioCNI instance is running in the cluster
  • Istio CLI (istioctl) tool is installed
  • jq is installed
  • Helm is installed

4.2. Installing cert-manager
Copiar enlace

You can integrate cert-manager with OpenShift Service Mesh by deploying istio-csr and then creating an Istio resource that uses the istio-csr agent to process workload and control plane certificate signing requests. This example creates a self-signed Issuer, but any other Issuer can be used instead.

Important

You must install cert-manager before installing your Istio resource.

Procedure

  1. Create the istio-system namespace by running the following command: 

    $ oc create namespace istio-system
    Copy to Clipboard Toggle word wrap

  2. Create the root issuer by creating an Issuer object in a YAML file.

    1. Create an Issuer object similar to the following example:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: istio-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: istio-ca
    namespace: istio-system
spec:
  isCA: true
  duration: 87600h # 10 years
  secretName: istio-ca
  commonName: istio-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  subject:
    organizations:
      - cluster.local
      - cert-manager
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  ca:
    secretName: istio-ca
---
      Copy to Clipboard Toggle word wrap

    2. Create the objects by running the following command: 

      $ oc apply -f issuer.yaml
      Copy to Clipboard Toggle word wrap

    3. Wait for the istio-ca certificate to contain the "Ready" status condition by running the following command: 

      $ oc wait --for=condition=Ready certificates/istio-ca -n istio-system
      Copy to Clipboard Toggle word wrap

  3. Copy the istio-ca certificate to the cert-manager namespace so it can be used by istio-csr:

    1. Copy the secret to a local file by running the following command: 

      $ oc get -n istio-system secret istio-ca -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.pem
      Copy to Clipboard Toggle word wrap

    2. Create a secret from the local certificate file in the cert-manager namespace by running the following command: 

      $ oc create secret generic -n cert-manager istio-root-ca --from-file=ca.pem=ca.pem
      Copy to Clipboard Toggle word wrap

Next steps

To install istio-csr, you must follow the istio-csr installation instructions for the type of update strategy you want. By default, spec.updateStrategy is set to InPlace when you create and install your Istio resource. You create and install your Istio resource after you install istio-csr.

Istio resources use the in place update strategy by default. Follow this procedure if you plan to leave spec.updateStrategy as InPlace when you create and install your Istio resource.

Procedure

  1. Add the Jetstack charts repository to your local Helm repository by running the following command: 

    $ helm repo add jetstack https://charts.jetstack.io --force-update
    Copy to Clipboard Toggle word wrap

  2. Install the istio-csr chart by running the following command: 

    $ helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
    --install \
    --namespace cert-manager \
    --wait \
    --set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" \
    --set "volumeMounts[0].name=root-ca" \
    --set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" \
    --set "volumes[0].name=root-ca" \
    --set "volumes[0].secret.secretName=istio-root-ca" \
    --set "app.istio.namespace=istio-system"
    Copy to Clipboard Toggle word wrap

Next steps

Istio resources use the in place update strategy by default. Follow this procedure if you plan to change spec.updateStrategy to RevisionBased when you create and install your Istio resource.

Procedure

  1. Specify all the Istio revisions to your istio-csr deployment. See "istio-csr deployment".

  2. Add the Jetstack charts to your local Helm repository by running the following command: 

    $ helm repo add jetstack https://charts.jetstack.io --force-update
    Copy to Clipboard Toggle word wrap

  3. Install the istio-csr chart with your revision name by running the following command: 

    $ helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
    --install \
    --namespace cert-manager \
    --wait \
    --set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" \
    --set "volumeMounts[0].name=root-ca" \
    --set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" \
    --set "volumes[0].name=root-ca" \
    --set "volumes[0].secret.secretName=istio-root-ca" \
    --set "app.istio.namespace=istio-system" \
    --set "app.istio.revisions={default-v1-24-3}"
    Copy to Clipboard Toggle word wrap
    Note

    Revision names use the following format, <istio-name>-v<major_version>-<minor_version>-<patch_version>. For example: default-v1-24-3.

Additional resources

Next steps

4.2.3. Installing your Istio resource
Copiar enlace

After you have installed istio-csr by following the procedure for either an in place or revision based update strategy, you can install the Istio resource.

You need to disable Istio’s built in CA server and tell istiod to use the istio-csr CA server. The istio-csr CA server issues certificates for both istiod and user workloads.

Procedure

  1. Create the Istio object as shown in the following example:

    Example istio.yaml object

    apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.24.3
  namespace: istio-system
  values:
    global:
      caAddress: cert-manager-istio-csr.cert-manager.svc:443
    pilot:
      env:
        ENABLE_CA_SERVER: "false"
    Copy to Clipboard Toggle word wrap

    Note

    If you installed your CSR agent with a revision based update strategy, then you need to add the following to your Istio object YAML: 

    kind: Istio
metadata:
  name: default
spec:
  updateStrategy:
    type: RevisionBased
    Copy to Clipboard Toggle word wrap

  2. Create the Istio resource by running the following command: 

    $ oc apply -f istio.yaml
    Copy to Clipboard Toggle word wrap

  3. Wait for the Istio object to become ready by running the following command: 

    $ oc wait --for=condition=Ready istios/default -n istio-system
    Copy to Clipboard Toggle word wrap

4.2.4. Verifying cert-manager installation
Copiar enlace

You can use the sample httpbin service and sleep application to check communication between the workloads. You can also check the workload certificate of the proxy to verify that the cert-manager tool is installed correctly.

Procedure

  1. Create the sample namespace by running the following command: 

    $ oc new-project sample
    Copy to Clipboard Toggle word wrap

  2. Find your active Istio revision by running the following command: 

    $ oc get istios default -o jsonpath='{.status.activeRevisionName}'
    Copy to Clipboard Toggle word wrap

  3. Add the injection label for your active revision to the sample namespace by running the following command: 

    $ oc label namespace sample istio.io/rev=<your-active-revision-name> --overwrite=true
    Copy to Clipboard Toggle word wrap

  4. Deploy the sample httpbin service by running the following command: 

    $ oc apply -n sample -f https://raw.githubusercontent.com/openshift-service-mesh/istio/refs/heads/master/samples/httpbin/httpbin.yaml
    Copy to Clipboard Toggle word wrap

  5. Deploy the sample sleep application by running the following command: 

    $ oc apply -n sample -f https://raw.githubusercontent.com/openshift-service-mesh/istio/refs/heads/master/samples/sleep/sleep.yaml
    Copy to Clipboard Toggle word wrap

  6. Wait for both applications to become ready by running the following command: 

    $ oc rollout status -n sample deployment httpbin sleep
    Copy to Clipboard Toggle word wrap

  7. Verify that sleep application can access the httpbin service by running the following command: 

    $ oc exec "$(oc get pod -l app=sleep -n sample \
     -o jsonpath={.items..metadata.name})" -c sleep -n sample -- \
     curl http://httpbin.sample:8000/ip -s -o /dev/null \
     -w "%{http_code}\n"
    Copy to Clipboard Toggle word wrap

    Example of a successful output

    200
    Copy to Clipboard Toggle word wrap

  8. Run the following command to print the workload certificate for the httpbin service and verify the output: 

    $ istioctl proxy-config secret -n sample $(oc get pods -n sample -o jsonpath='{.items..metadata.name}' --selector app=httpbin) -o json | jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode | openssl x509 -text -noout
    Copy to Clipboard Toggle word wrap

    Example output

    ...
Issuer: O = cert-manager + O = cluster.local, CN = istio-ca
...
X509v3 Subject Alternative Name:
  URI:spiffe://cluster.local/ns/sample/sa/httpbin
    Copy to Clipboard Toggle word wrap

4.3. Updating istio-csr agents with revision-based update strategies
Copiar enlace

If you deployed your Istio resource using the revision based update strategy, you must pass all revisions each time you update your control plane. You must perform the update in the following order:

  1. Update the istio-csr deployment with the new revision.
  2. Update the value of Istio.spec.version parameter/field.

Example update for RevisionBased control plane

In this example, the controlplane is being updated from v1.24.0 to 1.24.1.

  1. Update the istio-csr deployment with the new revision by running the following command: 

    $ helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
--wait \
  --reuse-values \
  --set "app.istio.revisions={<old_revision>,<new_revision>}"
    Copy to Clipboard Toggle word wrap

    where:

    old_revision
    Specifies the old revision in the <istio-name>-v<major_version>-<minor_version>-<patch_version> format. For example: default-v1-24-0.
    new_revision
    Specifies the new revision in the <istio-name>-v<major_version>-<minor_version>-<patch_version> format. For example: default-v1-24-1.

  2. Update the istio.spec.version in the Istio object similar to the following example:

    Example istio.yaml file

    apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: <new_revision>
    1
    Copy to Clipboard Toggle word wrap

    1
    Update to the new revision prefixed with the letter v, such as v1.24.1

  3. Remove the old revision from your istio-csr deployment by running the following command: 

    helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
  --install \
  --namespace cert-manager \
  --wait \
  --reuse-values \
  --set "app.istio.revisions={default-v1-24-1}"
    Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat