Skip to content

istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager.

License

Notifications You must be signed in to change notification settings

cert-manager/istio-csr

Repository files navigation

cert-manager project logo

Go Report Card artifact hub badge

istio-csr

istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager.

Certificates facilitating mTLS — both inter and intra-cluster — will be signed, delivered and renewed using cert-manager issuers.

istio-csr supports Istio v1.10+ and cert-manager v1.3+


Documentation

Please follow the documentation at cert-manager.io for installing and using istio-csr.

Release Process

The release process is documented in RELEASE.md.

Inner workings

istio-csr has 3 main components: the TLS certificate obtainer, the gRPC server and the CA bundle distributor.

  1. The TLS certificate obtainer is responsible for obtaining the TLS certificate for the gRPC server. It uses the cert-manager API to create a CertificateRequest resource, which will be picked up by cert-manager and signed by the configured issuer.
  2. The gRPC server is responsible for receiving certificate signing requests from istiod and sending back the signed certificate. Herefore, it uses the cert-manager CertificateRequest API to obtain the signed certificate.
  3. The CA bundle distributor is responsible for creating and updating istio-ca-root-cert ConfigMaps in all namespaces (filtered using namespaceSelector).

Istio Ambient

When istio-csr is being deployed into Istio Ambient, the --ca-trusted-node-accounts flag must be set with the <namespace>/<service-account-name> of ztunnel, eg. istio-system/ztunnel. This allows ztunnel to authenticate using its own identity, then request certificates for the identity it will impersonate. For more information on how ztunnel handles certificate, see the Istio Ambient docs.