Skip to content

Vault

Securing service-to-service communication is one of the most important aspect of any system using micro-services. Enabling mutual authentication with service mesh increases the security posture and helps organizations satisfy compliance requirements.

In this section, we will setup a 3rd party vault solution to enable authentication/authorization.

Prerequisites and Assumptions:

  • Vault is set-up and public key infrastructure is enabled.
  • Intermediate CA is enabled
  • Gather app role ID, app role secret ID and vault address
  • You have provisioned or imported a cluster using controller

Setup instructions:

You will need to create 4 add-ons and 2 namespaces to integrate vault with service mesh. The 2 namespaces will host istio-system and cert-manager.

Add-on: 1. cert-manager - a popular native Kubernetes certificate management controller 2. secret - Kubernetes secret 3. vault-issuer 4. cert-manager-istio-csr

Creating Namespaces

  • Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin
  • Under Infrastructure, select "Namespaces" and create a new namespace with a name (cert-manager, istio-system)

Creating Add-ons

  • Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin
  • Under "Infrastructure" click "Add-ons" and click on "New Add-on"
  • Input name, select an appropriate type and namespace you want the add-on to be installed in
  • Click CREATE to goto next step
  • Select "New Version" and give it a version name
  • Upload the Helm chart/K8s Yaml file.
  • Click "SAVE CHANGES"

Install Add-ons

cert-manager

Cert-manager is a popular native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault etc. Cert-manager will ensure that certificates are valid and up to date, and attempt to renew certificates at a configured time before they expire.

To create cert-manager add-on follow the below steps:

Step 1: Download Helm Chart

Use your helm client to download the latest release of Cert Manager helm chart file cert-manager-x.y.z.tgz to your machine. In this recipe, we use Cert Manager v1.2.0.

  • Add Cert Manager's repo to your Helm CLI
helm repo add jetstack https://charts.jetstack.io
helm repo update
  • Now, fetch the latest Helm chart from this repo.
helm fetch jetstack/cert-manager

Step 2: Customize Values

In this step, we will be creating a custom "cert-manager-values.yaml" file from values.yaml so that CRD's get installed.

installCRDs: true

Step 3: Create Addon

Create an add-on named "cert-manager" with "cert-manager-v1.2.0.tgz" helm chart and version

  • Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin
  • Select "Addons" and "Create" a new Addon called "cert-manager"
  • Ensure that you select "Helm 3" for type and select the namespace as "cert-manager"
  • Click CREATE to goto next step
  • Select "New Version" and give it a name called "v1.2.0"
  • Upload the Helm chart "cert-manager-v1.2.0.tgz" and "cert-manager-values.yaml" file from previous step.
  • Click "SAVE CHANGES"

Create cert-manager addon

Create a secret

Create a kubernetes secret as an add-on. Copy the below text into a file and insert the base64 encoded APP_ROLE_SECRET_ID from the prerequisites and save as "approle-secret.yaml"

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: cert-manager-vault-approle
  namespace: istio-system
data:
  secretId: <APP_ROLE_SECRET_ID> # insert secretId base64 encoded
  • Create a "K8s Yaml" type add-on named "istio-secret-id" in "istio-system" namespace using the "approle-secret.yaml".

Install vault issuer

  • Copy the below configuration into an editor
  • Insert the plain text ROLE_ID and VAULT_ADDR from the prerequisites
  • Save as "vault-issuer.yaml"
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: vault-issuer
  namespace: istio-system
spec:
  vault:
    path: pki_int/sign/cluster-dot-local
    server:http://<VAULT_ADDR> # insert vault url
    auth:
      appRole:
        path: approle
        roleId: <ROLE_ID> # base64 encoded NOT needed
        secretRef:
          name: cert-manager-vault-approle
          key: secretId

Create an add on with the above file in the istio-system namespace

Install istio-csr

Download cert-manager-istio-csr helm chart using:

helm fetch jetstack/cert-manager-istio-csr

Customize the following in the values.yaml file

  • Set app.certmanager.issuer.name to vault-issuer - from step-5
  • Set preserveCertificateRequests to true
  • Change revisions to ["default","1-15-0"]

Create a "Helm 3" type add-on named "cert-manager-istio-csr" in "cert-manager" namespace with the above helm chart tgz file.

Install Istio

To install Istio with vault integration you need to create an "Installation Profile" with "Cert-Manager" enabled.

  • Navigate to "Project" - "Service Mesh" - "Installation Profiles"
  • Click "New Profile" and name it "vault-profile"
  • Give an appropriate version name and select "CertManager" from Certificate Type Select Cert Manager
  • Select "Enable Sidecar Injection Globally" Enable Globally
  • Click "Save & Exit"

Service Mesh will pick up the cert-manager installed in the previous steps automatically and enable sidecar injection to all the new resources in the cluster where this profile is deployed.

Important

Sidecar injection to existing pods will only take place when pods are restarted.

Update and Sync The Blueprint

  • Navigate to "Project" - "Infrastructure" - "Blueprints"
  • Create a new blueprint named "vault-blueprint"
  • Give an appropriate version name
  • Enable "Service Mesh" and select "vault-profile" and latest version
  • Add the following add-ons: cert-manager, cert-manager-istio-csr with dependency on cert-manager, vault issuer with dependency on cert-manager and istio-secret-id

Blueprint Add-ons

  • Go to "Infrastructure' - "Cluster".
  • Select the cluster you want the vault to be enabled and update the blueprint with "vault-blueprint"

Verify Certificates are issued by the vault

Deploy a workload in new namespace.

Describe the pod and you should see the CA_ADDR as below indicating cert-manager has taken over issuing and verifying certificates.

CA_ADDR:                       cert-manager-istio-csr.cert-manager.svc:443