/istio-csr

istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager.

Primary LanguageGoApache License 2.0Apache-2.0

cert-manager project logo

Go Report Card artifact hub badge

istio-csr

istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager.

Certificates facilitating mTLS — both inter and intra-cluster — will be signed, delivered and renewed using cert-manager issuers.

istio-csr supports Istio v1.10+ and cert-manager v1.3+

Documentation

Please follow the documentation at cert-manager.io for installing and using istio-csr.

Inner workings

istio-csr has 3 main components: the TLS certificate obtainer, the gRPC server and the CA bundle distributor.

  1. The TLS certificate obtainer is responsible for obtaining the TLS certificate for the gRPC server. It uses the cert-manager API to create a CertificateRequest resource, which will be picked up by cert-manager and signed by the configured issuer.
  2. The gRPC server is responsible for receiving certificate signing requests from istiod and sending back the signed certificate. Herefore, it uses the cert-manager CertificateRequest API to obtain the signed certificate.
  3. The CA bundle distributor is responsible for creating and updating istio-ca-root-cert ConfigMaps in all namespaces (filtered using namespaceSelector).