Integrating with istio helm chart installs #113
Comments
|
Bumping this: IstioOperator is now discouraged. It would be great to have some instructions for how to set this up with native Helm |
|
Third bump, trying to figure this out right now. In case anyone else is working on this, what I've found so far is {{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- end }} {{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}It does the same thing in I'm not sure which secret this is in relation to the changes in the IstioOperator resource. It doesn't really look like it applies to either? Unfortunately, it doesn't seem the chart allows for definition of arbitrary extra volumes either. Other than that |
|
As an FYI for anyone coming across this issue, it's actually a fairly simple fix to work with the Istio helm chart. I'm working on PR'ing these changes to the upstream chart, but here are the general instructions:
- "--tlsCertFile=/etc/tls-identity/tls.crt"
- "--tlsKeyFile=/etc/tls-identity/tls.key"
- "--caCertFile=/etc/tls-root-ca/root-cert.pem"
# Only add custom TLS client and CA certs if vault pki enabled
# istio-csr: mount cert-managed issued end-entity cert
- name: tls-identity
mountPath: /etc/tls-identity
readOnly: true
# istio-csr: mount root ca cert
- name: tls-root-ca
mountPath: /etc/tls-root-ca
readOnly: true
# Only add custom TLS client and CA certs if vault pki enabled
# istio-csr: mount cert-manager issued end-entity cert
- name: tls-identity
secret:
secretName: istiod-tls
# istio-csr: mount root ca cert
- name: tls-root-ca
configMap:
defaultMode: 420
name: istio-ca-root-cert
The |
|
Thank you @ajp-lsq and others for notes! I use Terraform for istiod and istio-base Helm installs. Ill add support for this in the module I open sourced Terraform Registry terraform-helm-istio |
|
@ajp-lsq can you ping us here when you have PR on upstream chart or reference this issue in PR? Thanks for the help! |
|
@ajp-lsq I am also interested in this work. Thank you. |
Did you allready PR your changes to the upstream project? |
|
@ajp-lsq @sepulworld were you able to make any progress on the terraform module and/or helm chart? I am on the same boat. Trying to use helm and use AWS Private CA with Istio. |
|
Hi everyone, as the above PR for Istio has been merged, we can now override helm values to integrate with cert-manager a little easier: # Additional container arguments
extraContainerArgs:
- --tlsCertFile=/etc/cert-manager/tls/tls.crt
- --tlsKeyFile=/etc/cert-manager/tls/tls.key
- --caCertFile=/etc/cert-manager/ca/root-cert.pem
env:
ENABLE_CA_SERVER: false
# Additional volumeMounts to the istiod container
volumeMounts:
- mountPath: /etc/cert-manager/tls
name: cert-manager
readOnly: true
- mountPath: /etc/cert-manager/ca
name: istio-csr-ca-configmap
readOnly: true
# Additional volumes to the istiod pod
volumes: []
- name: cert-manager
secret:
defaultMode: 420
secretName: istiod-tls
- configMap:
defaultMode: 420
name: istio-ca-root-cert
optional: true
name: ca-root-cert |
|
I'm kinda confused here, as a person moving from istio-operator to istio helm, it seems that this "issue" was handled some time ago with a "zero config" solution here: istio/istio#39375 Can someone explain if/why this does not work? as I would think the "zero-config" route makes sense with just leveraging known paths mounts for secrets? I'll be progressing into testing in the near future so I'll also report back my own findings here. |
Just deployed istio in staging with the "zero config" - and it simply works.
So I suspect there have been two initiatives in parallel to solve this problem from different ends. One that you mentioned istio/istio#39375 and one istio/istio#45517 that @tomreeb has contributed to the istio recently. Now someone just needs to update the documentation so one or both are easier to use |
|
@volodymyr-mykhailyk : I'm curious if this zero config method still works or if these docs are the way it has to be? |
|
I can confirm from my own experience, that the zero config version works still/fine. It never presented any hindrance and "just worked". We implemented it prior to the helpful instructions posted by @volodymyr-mykhailyk by interrogating the helm chart vs our existing istio-operator deployment. |
|
Thanks! I was able to test as well. I did need to set |
Does anyone have any example values inputs when integrating istio-csr with an istio setup installed using Helm https://istio.io/latest/docs/setup/install/helm/
I see istio-csr refers to this https://github.com/cert-manager/istio-csr/blob/main/hack/istio-config-1.10.0.yaml but does anyone have a translation of this to the istio helm chart install?
The text was updated successfully, but these errors were encountered: