Istiod helm chart should support mounting the cacerts volume with the Kubernetes CSI Secrets store driver #50036
Labels
area/environments
area/security
feature/Multi-cluster
issues related with multi-cluster support
kind/enhancement
lifecycle/stale
Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Describe the feature request
When using Istio in multicluster the CA certs must be provided because each cluster cannot have a self-signed autogenerated cert.
Currently
/etc/cacerts
can be mounted only from a Kubernetes secret.istio/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml
Lines 225 to 228 in 70c91d1
Istio users on public cloud do not store private keys in Kubernetes secrets as a best practice, but they use Kubernetes Secrets Store CSI Driver to mount the secrets from their public cloud secret store.
The helm chart template should support to use the Kubernetes Secrets Store CSI Driver passing the necessary information in the values.
Describe alternatives you've considered
Currently I am patching the the
IstioOperator
as follows to solve this problem:Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[X] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[X] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
The text was updated successfully, but these errors were encountered: