Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 5. OpenShift Service Mesh and cert-manager

The cert-manager tool provides a unified API to manage X.509 certificates for applications in a Kubernetes environment. You can use cert-manager to integrate with public or private key infrastructures (PKI) and automate certificate renewal.

5.1. About the cert-manager Operator istio-csr agent
复制链接

The cert-manager Operator for Red Hat OpenShift enhances certificate management for securing workloads and control plane components in Red Hat OpenShift Service Mesh and Istio. It supports issuing, delivering, and renewing certificates used for mutual Transport Layer Security (mTLS) through cert-manager issuers.

By integrating Istio with the istio-csr agent, which the cert-manager Operator manages, you enable Istio to request and manage the certificates directly. The integration simplifies security configuration and centralizes certificate management within the cluster.

Note

You must install the cert-manager Operator for Red Hat OpenShift before you create and install your Istio resource.

Integrate the cert-manager Operator with OpenShift Service Mesh by deploying the istio-csr agent and configuring an Istio resource to process certificate signing requests for workloads and the control plane.

Prerequisites

  • You have installed the cert-manager Operator for Red Hat OpenShift version 1.15.1.
  • You have logged in to OpenShift Container Platform 4.14 or later.
  • You have installed the OpenShift Service Mesh Operator.
  • You have a IstioCNI instance running in the cluster.
  • You have installed the istioctl command.

Procedure

  1. Create the istio-system namespace by running the following command: 

    $ oc create namespace istio-system

  2. Patch the cert-manager Operator to install the istio-csr agent by running the following command: 

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator \
  --type='merge' -p \
  '{"spec":{"config":{"env":[{"name":"UNSUPPORTED_ADDON_FEATURES","value":"IstioCSR=true"}]}}}'

  3. Create the root certificate authority (CA) issuer by creating an Issuer object for the istio-csr agent:

    1. Create a new project for installing the istio-csr agent by running the following command: 

      $ oc new-project istio-csr

    2. Create an Issuer object similar to the following example:

      Note

      The selfSigned issuer serves demonstration purposes, testing, or proof-of-concept environments. For production deployments, use a secure and trusted CA. 

      apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: istio-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  isCA: true
  duration: 87600h
  secretName: istio-ca
  commonName: istio-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  subject:
    organizations:
      - cluster.local
      - cert-manager
  issuerRef:
    name: selfsigned
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  ca:
    secretName: istio-ca

    3. Create the objects by running the following command: 

      $ oc apply -f issuer.yaml

    4. Wait for the istio-ca certificate to contain the "Ready" status condition by running the following command: 

      $ oc wait --for=condition=Ready certificates/istio-ca -n istio-system

  4. Create the IstioCSR custom resource:

    1. Create the IstioCSR custom resource similar to the following example: 

      apiVersion: operator.openshift.io/v1alpha1
kind: IstioCSR
metadata:
  name: default
  namespace: istio-csr
spec:
  istioCSRConfig:
    certManager:
      issuerRef:
        name: istio-ca
        kind: Issuer
        group: cert-manager.io
    istiodTLSConfig:
      trustDomain: cluster.local
    istio:
      namespace: istio-system

    2. Create the istio-csr agent by running the following command: 

      $ oc create -f istioCSR.yaml

    3. Verify that the istio-csr deployment is ready by running the following command: 

      $ oc get deployment -n istio-csr

  5. Install the istio resource:

    Note

    The configuration disables the built-in CA server for Istio and forwards certificate signing requests from istiod to the istio-csr agent. The istio-csr agent obtains certificates for both istiod and mesh workloads from the cert-manager Operator. The istio-csr agent generates the istiod TLS certificate, and the system mounts it into the pod at a known location.

    1. Create the Istio object similar to the following example: 

      apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.24-latest
  namespace: istio-system
  values:
    global:
      caAddress: cert-manager-istio-csr.istio-csr.svc:443
    pilot:
      env:
        ENABLE_CA_SERVER: "false"

    2. Create the Istio resource by running the following command: 

      $ oc apply -f istio.yaml

    3. Verify that the istio resource displays the "Ready" status condition by running the following command: 

      $ oc wait --for=condition=Ready istios/default -n istio-system

You can use the sample httpbin service and sleep application to verify traffic between workloads. Check the workload proxy certificate to verify a successful cert-manager Operator installation.

  1. Create the followingnamespaces:

    1. Create the apps-1 namespace by running the following command: 

      $ oc new-project apps-1

    2. Create the apps-2 namespace by running the following command: 

      $ oc new-project apps-2

  2. Add the istio-injection=enabled label on the namespaces:

    1. Add the istio-injection=enabled label on the apps-1 namespace by running the following command: 

      $ oc label namespaces apps-1 istio-injection=enabled

    2. Add the istio-injection=enabled label on the apps-2 namespace by running the following command: 

      $ oc label namespaces apps-2 istio-injection=enabled

  3. Deploy the httpbin app in the namespaces:

    1. Deploy the httpbin app in the apps-1 namespace by running the following command: 

      $ oc apply -n apps-1 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yaml

    2. Deploy the httpbin app in the apps-2 namespace by running the following command: 

      $ oc apply -n apps-2 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/httpbin/httpbin.yaml

  4. Deploy the sleep app in the namespaces:

    1. Deploy the sleep app in the apps-1 namespace by running the following command: 

      $ oc apply -n apps-1 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yaml

    2. Deploy the sleep app in the apps-2 namespace by running the following command: 

      $ oc apply -n apps-2 -f https://raw.githubusercontent.com/openshift-service-mesh/istio/release-1.24/samples/sleep/sleep.yaml

  5. Verify that the created apps have sidecars injected:

    1. Verify that the created apps have sidecars injected for apps-1 namespace by running the following command: 

      $ oc get pods -n apps-1

    2. Verify that the created apps have sidecars injected for apps-2 namespace by running the following command: 

      $ oc get pods -n apps-2

  6. Create a mesh-wide strict mutual Transport Layer Security (mTLS) policy similar to the following example:

    Note

    Enabling PeerAuthentication in strict mTLS mode verifies correct certificate distribution and functional mTLS communication between workloads. 

    apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

  7. Apply the mTLS policy by running the following command: 

    $ oc apply -f peer_auth.yaml

  8. Verify that the apps-1/sleep app can access the apps-2/httpbin service by running the following command: 

    $ oc -n apps-1 exec "$(oc -n apps-1 get pod \
  -l app=sleep -o jsonpath={.items..metadata.name})" \
  -c sleep -- curl -sIL http://httpbin.apps-2.svc.cluster.local:8000

    You will get an output similar to the following example: 

    HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: *
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com
content-type: text/html; charset=utf-8
date: Wed, 18 Jun 2025 09:20:55 GMT
x-envoy-upstream-service-time: 14
server: envoy
transfer-encoding: chunked

  9. Verify that the apps-2/sleep app can access the apps-1/httpbin service by running the following command: 

    $ oc -n apps-2 exec "$(oc -n apps-1 get pod \
  -l app=sleep -o jsonpath={.items..metadata.name})" \
  -c sleep -- curl -sIL http://httpbin.apps-2.svc.cluster.local:8000

    You will get an output similar to the following example: 

    HTTP/1.1 200 OK
access-control-allow-credentials: true
access-control-allow-origin: *
content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' camo.githubusercontent.com
content-type: text/html; charset=utf-8
date: Wed, 18 Jun 2025 09:21:23 GMT
x-envoy-upstream-service-time: 16
server: envoy
transfer-encoding: chunked

  10. Verify that the httpbin workload certificate matches as expected by running the following command: 

    $ istioctl proxy-config secret -n apps-1 \
  $(oc get pods -n apps-1 -o jsonpath='{.items..metadata.name}' --selector app=httpbin) \
  -o json | jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' \
  | base64 --decode | openssl x509 -text -noout

    You will get an output similar to the following example: 

    ...
Issuer: O = cert-manager + O = cluster.local, CN = istio-ca
...
X509v3 Subject Alternative Name:
URI:spiffe://cluster.local/ns/apps-1/sa/httpbin

Uninstall the cert-manager Operator and the istio-csr agent from OpenShift Service Mesh after verifying that no mesh components depend on the agent or its issued certificates to avoid service disruption.

Procedure

  1. Remove the IstioCSR custom resource by running the following command: 

    $ oc -n <istio-csr_project_name> delete istiocsrs.operator.openshift.io default

  2. Remove the related resources:

    1. List the cluster scoped-resources by running the following command: 

      $ oc get clusterrolebindings,clusterroles -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr"

      Save the names of the listed resources for later reference.

    2. List the resources in istio-csr agent deployed namespace by running the following command: 

      $ oc get certificate,deployments,services,serviceaccounts -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" -n <istio_csr_project_name>

      Save the names of the listed resources for later reference.

    3. List the resources in Red Hat OpenShift Service Mesh or Istio deployed namespaces by running the following command: 

      $ oc get roles,rolebindings \
  -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" \
  -n <istio_csr_project_name>

      Save the names of the listed resources for later reference.

    4. For each resource listed in previous steps, delete the resources by running the following command: 

      $ oc -n <istio_csr_project_name> delete <resource_type>/<resource_name>
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部