SgtCoDFish
Ashley Davis
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.12.0 introduces support for Istio Ambient Mode, expands upon the runtime configuration functionality introduced in previous releases, and includes various other improvements.
Features
Istio Ambient Mode Support
Istio Ambient Mode allows the use of Istio without requiring sidecar containers to run in your pods. This is powerful, but functions slightly differently and istio-csr previously didn't support this mode of operation.
Thanks to @paulwilljones istio-csr can now handle this mode of operation!
Istio Ambient Mode is enabled by setting the app.server.caTrustedNodeAccounts Helm value to a comma-separated list of namespace/service-accounts values indicating which service accounts are permitted to use node authentication, such as istio-system/ztunnel.
As this is a new feature, we'd be keen to hear your feedback and learn how this can be improved!
Runtime Configuration Improvements
Provisioning Resources
Runtime configuration allows istio-csr to be installed at the same time as cert-manager itself, which can simplify the cluster setup process. It also enables issuers to be changed on the fly, which makes rotation of CA certificates simpler and reduces the risk of downtime.
An issue we noticed was that istio-csr would always report as unhealthy until runtime configuration was available. On the face of it, this seems like expected behavior - without a configured issuer, istio-csr can't issue workload certs or provision the istio serving cert / istiod cert. The issue we found was that this causes the Helm install of istio-csr to hang until the runtime configuration ConfigMap was provided, forcing the need to handle runtime configuration then and there.
To make this process simpler, we've made a few Helm chart changes:
- It's now possible to pass
extraObjectsas a Helm value specifying arbitrary resources to create alongside the istio-csr install. This enables creating an issuer during the Helm install, if desired. - There's a new
.app.runtimeConfiguration.createvalue which, if set, will create a runtime configuration ConfigMap with the values specified inapp.runtimeConfiguration.issuer.
Health Checks
In addition, we've changed how health checks work for istio-csr with runtime configuration. If using pure runtime configuration (app.certmanager.issuer is blank), the istio-csr health checks will report healthy until runtime configuration is available for the first time. After runtime configuration is first detected, the health checks will return to normal.
Other Fixes
We now also propagate annotations onto the dynamic istiod cert which is used with runtime configuration, and a few roles have been fixed to ensure that installing into different namespaces works as expected.
What's Changed
Istio Ambient Mode
- feat: Add support for impersonation for certificate requests by @paulwilljones in #336
Runtime Configuration
- feat: add ability to create runtime config configmap by @ThatsMrTalbot in #379
- feat: add ability to specify extra objects to apply along with the chart by @ThatsMrTalbot in #378
- fix: Handle initial issuer config for dynamic istiod cert by @SgtCoDFish in #399
- fix: Propagate dynamic istiod cert annotations by @SgtCoDFish in #396
- feat: allow "runtime-only" configuration without default issuer by @ThatsMrTalbot in #395
- fix: do not track "originalIssuerRef" if default issuer is disabled by @ThatsMrTalbot in #397
- fix: Tweak roles to fix permission errors by @SgtCoDFish in #398
Test Improvements / Other
- feat: Add security context to istio-csr deployment by @wtzhang23 in #369
- test: Add end to end test for client certificate authenticator by @wtzhang23 in #370
- test: Add Istio 1.23 tests by @paulwilljones in #387
- feat: Added labels and annotations to deployment and pod by @chanakya-svt in #372
New Contributors
- @paulwilljones made their first contribution in #387
- @chanakya-svt made their first contribution in #372
Full Changelog: v0.11.0...v0.12.0
