Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istiod helm chart should support mounting the cacerts volume with the Kubernetes CSI Secrets store driver #50036

Open
zioproto opened this issue Mar 21, 2024 · 1 comment
Open

Istiod helm chart should support mounting the cacerts volume with the Kubernetes CSI Secrets store driver #50036

zioproto opened this issue Mar 21, 2024 · 1 comment
Labels
area/environments area/security feature/Multi-cluster issues related with multi-cluster support kind/enhancement lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while

Comments

@zioproto
Copy link

Describe the feature request

When using Istio in multicluster the CA certs must be provided because each cluster cannot have a self-signed autogenerated cert.

Currently /etc/cacerts can be mounted only from a Kubernetes secret.

istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml

Lines 225 to 228 in 70c91d1

- name: cacerts
secret:
secretName: cacerts
optional: true

Istio users on public cloud do not store private keys in Kubernetes secrets as a best practice, but they use Kubernetes Secrets Store CSI Driver to mount the secrets from their public cloud secret store.

The helm chart template should support to use the Kubernetes Secrets Store CSI Driver passing the necessary information in the values.

Describe alternatives you've considered

Currently I am patching the the IstioOperator as follows to solve this problem:

---
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
 components:
   pilot:
     enabled: true
     k8s:
       overlays:
         - kind: Deployment
           name: istiod-1-20-1 # https://github.com/istio/istio/issues/31076
           patches:
             - path: spec.template.spec.volumes[name:cacerts]
               value:
                 name: cacerts
                 csi:
                   driver: secrets-store.csi.k8s.io
                   readOnly: true
                   volumeAttributes:
                     secretProviderClass: "istio-tls"

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[X] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[X] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
@keithmattix keithmattix self-assigned this May 6, 2024
@keithmattix keithmattix removed their assignment Jun 13, 2024
@istio-policy-bot
Copy link

🧭 This issue or pull request has been automatically marked as stale because it has not had activity from an Istio team member since 2024-03-21. It will be closed on 2024-10-02 unless an Istio team member takes action. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/environments area/security feature/Multi-cluster issues related with multi-cluster support kind/enhancement lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zioproto @keithmattix @istio-policy-bot