Skip to content

mTLS (Vault)

Securing service-to-service communication is one of the most important aspect of any system using micro-services. Enabling mutual authentication with service mesh increases the security posture and helps organizations satisfy compliance requirements.

Prerequisites and Assumptions:

  • Vault is set-up and public key infrastructure is enabled
  • Intermediate CA is enabled
  • Info on App role ID, app role secret ID and vault address is available
  • You have provisioned or imported a cluster using controller

Setup instructions:

You will need to create 2 namespaces and 4 add-ons to integrate Vault with service mesh.

Namespaces

  • istio-system
  • cert-manager

Add-ons:

  1. cert-manager (a popular native Kubernetes certificate management controller)
  2. secret (Kubernetes secret)
  3. vault-issuer
  4. cert-manager-istio-csr

Step 1: Creating Namespaces (istio-system and cert-manager)

  • Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin
  • Under Infrastructure, select "Namespaces" and create namespaces (cert-manager, istio-system)

Step 2: Install Add-ons

cert-manager

Cert-manager is a popular native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault etc. Cert-manager will ensure that certificates are valid and up to date, and attempt to renew certificates at a configured time before they expire.

To create cert-manager add-on follow the below steps:

  • Navigate to the Add-ons section
  • Click on New Add-on and select Create New Add-on from Catalog option

Create cert-manager addon

  • Search for cert-manager in the Catalog
  • Copy the values.yaml file (e.g. cert-manager-values.yaml), change installCRDs to true in the yaml
  • Click on Create Add-on
  • Provide a name (e.g. "cert-manager") and select the namespace (e.g. "cert-manager")

Create cert-manager addon

  • Click CREATE to go to next step
  • Provide a version name
  • Upload the "cert-manager-values.yaml" file
  • Click SAVE CHANGES

Create cert-manager addon

Create a secret

Create a kubernetes secret as an add-on. Copy the below text into a file and insert the base64 encoded APP_ROLE_SECRET_ID and save as "approle-secret.yaml"

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: cert-manager-vault-approle
  namespace: istio-system
data:
  secretId: <APP_ROLE_SECRET_ID> # insert secretId base64 encoded
  • Create a "K8s Yaml" type add-on named "istio-secret-id" in "istio-system" namespace using the "approle-secret.yaml"

Vault issuer

  • Copy the below configuration into an editor
  • Insert the plain text ROLE_ID and VAULT_ADDR
  • Save as "vault-issuer.yaml"
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: vault-issuer
  namespace: istio-system
spec:
  vault:
    path: pki_int/sign/cluster-dot-local
    server:http://<VAULT_ADDR> # insert vault url
    auth:
      appRole:
        path: approle
        roleId: <ROLE_ID> # base64 encoded NOT needed
        secretRef:
          name: cert-manager-vault-approle
          key: secretId

Create an add-on with the above file in the istio-system namespace

istio-csr

cert-manager-istio-csr helm chart is available in the Catalog. Follow up the same steps (as cert-manager) to create an add-on from the Catalog in the "cert-manager" namespace.

Customize the following in the values.yaml file:

  • Set app.certmanager.issuer.name to vault-issuer (from the previous step)
  • Set preserveCertificateRequests to true
  • Change revisions to ["default","1-15-0"]

Step 3: Install Istio

To install Istio with vault integration you need to create an "Installation Profile" with "Cert-Manager" enabled.

  • Navigate to Installation Profiles under Service Mesh section
  • Click New Profile and name it "vault-profile"
  • Provide an appropriate version name and select "CertManager" for Certificate Type

Select Cert Manager

  • Select "Enable Sidecar Injection Globally"

Enable Globally

  • Click Save & Exit

Service Mesh will pick up the cert-manager installed as part of the previous steps automatically and enable sidecar injection to all the new resources in the cluster where this profile is deployed.

Important

Sidecar injection to existing pods will only take place when pods are restarted.

Step 4: Update and Sync the Blueprint

  • Navigate to "Project" -> "Infrastructure" -> "Blueprints"
  • Create a new blueprint named "vault-blueprint"
  • Provide an appropriate version name
  • Enable "Service Mesh" and select "vault-profile" as the installation profile
  • Add the following add-ons: cert-manager, cert-manager-istio-csr with dependency on cert-manager, vault issuer with dependency on cert-manager and istio-secret-id

Blueprint Add-ons

  • Go to "Infrastructure' -> "Cluster"
  • Select the cluster you want the vault to be enabled and update the blueprint with "vault-blueprint"

Step 5: Verify Certificates are issued by the vault

Deploy a workload in new namespace.

Describe the pod and you should see the CA_ADDR as below indicating cert-manager has taken over issuing and verifying certificates.

CA_ADDR:                       cert-manager-istio-csr.cert-manager.svc:443