Use CA Certificate from Vault
bonifaido opened this issue · 0 comments
Is your feature request related to a problem? Please describe.
It would be nice if the CA secret could be read from Vault instead of letting Istio generate one.
Describe the solution you'd like to see
An attribute block in the Istio CR would control the source of CA certificate.
vault-env could be used to authenticate and read the defined Secret from Vault and write the files to an ephemeral volume from where Istio can read them.
For Vault, the Secret path should be configurable which is secret/data/pki/root in the following example initContainer example, which should be the part of the solution we have discussed. Also, the Vault address and role should be possible to configure.
apiVersion: v1
kind: Pod
metadata:
name: istiod
labels:
name: istiod
spec:
initContainers:
- name: vault-env
image: ghcr.io/banzaicloud/vault-env:1.8.0
env:
- name: VAULT_ADDR
value: https://vault.vault:8200
- name: VAULT_ROLE
value: istiod
- name: ISTIO_CA_CERT
value: vault:secret/data/pki/ca#certificate
- name: ISTIO_CA_KEY
value: vault:secret/data/pki/ca#private_key
- name: VAULT_CACERT
value: /vault/tls/ca.crt
command:
- /vault/vault-env
- sh
- -c
- "echo $ISTIO_CA_CERT > ca-cert.pem; echo $ISTIO_CA_KEY > ca-key.pem"
workingDir: /cacerts
volumeMounts:
- mountPath: /cacerts
name: ca-cert
- mountPath: /vault/tls/
name: vault-tls
volumes:
- name: ca-cert
emptyDir: {}
- name: vault-tls
projected:
defaultMode: 420
sources:
- secret:
name: vault-tls
items:
- key: ca.crt
path: ca.crtThe serviceAccount of the istiod Pod has to be configured in Vault to be able to read the aforementioned path.
Describe alternatives you've considered
N/A
Additional context
Add any other context or screenshots about the feature request here.