istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.10.0 provides some cool new features - initial support for easier runtime configuration, support for the s390x architecture and dependency updates!
Initial Runtime Configuration Support
istio-csr requires cert-manager to be installed to be able to issue certificates; using cert-manager to issue istio certificates is the whole reason to use istio-csr!
More subtly, istio-csr actually requires a cert-manager issuer to be created before istio-csr is installed. This issuer is used to issue the istiod certificate, the istio serving certificate and workload certificates.
This dependency means that it's not possible to install istio-csr and cert-manager at the same time, which can be a problem for some users and some installation methods. Runtime configuration aims to solve that problem, by allowing the issuer to be defined at runtime through a ConfigMap resource in the same namespace as the istio-csr pods.
Plus, since the issuer is defined at pod startup time (via the Helm chart) it's not possible to swap out an issuer on the fly while istio-csr pods are running. Runtime configuration changes this:
$ kubectl create configmap -n cert-manager istio-issuer \
--from-literal=issuer-name=my-issuer-name \
--from-literal=issuer-kind=ClusterIssuer \
--from-literal=issuer-group=cert-manager.io
$ cat values.yaml
app:
runtimeIssuanceConfigMap: istio-issuer
certmanager:
issuer:
name: ""
kind: ""
group: ""
tls:
rootCAFile: "/var/run/secrets/istio-csr/ca.pem"
istiodCertificateEnable: false
volumeMounts:
- name: root-ca
mountPath: /var/run/secrets/istio-csr
volumes:
- name: root-ca
secret:
secretName: istio-root-ca
$ helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
--install \
--namespace cert-manager \
--wait \
--values values.yamlThis initial support does require that the istiod certificate is disabled, which means there's a need to provision that certificate ahead of installing istio-csr.
Alternatively,istiodCertificateEnable can be left as true and app.certmanager.issuer can be provided. This will still require cert-manager to be installed and configured before istio-csr, but this will enable being able to change certificates on the fly.
A future release of istio-csr should help with provisioning the istiod certificate dynamically, allowing for true runtime configuration.
s390x Support
Thanks to @rishikakedia istio-csr now supports the s390x architecture! While the cert-manager's project to test on s390x is limited, we hope this support is useful and we'd be happy to action any bugs you find!
What's Changed
Features
- Add ability to configure issuer at runtime by @SgtCoDFish in #343
- Add support for s390x for istio-csr by @rishikakedia in #323
- Bump dep for CVE-2024-28122, ignore false positive istio vulns by @SgtCoDFish in #344
- Add nameOverride to values.yaml so it is allowed by the jsonSchema validation by @inteon in #349
Testing / Documentation
- docs: add RELEASE.md file to document release by @ThatsMrTalbot in #316
- Add option to focus a specific e2e test by @SgtCoDFish in #341
- Add updated versions of istio config to enable tests by @SgtCoDFish in #345
- Increase timeout for namespace e2e test polling by @SgtCoDFish in #348
New Contributors
- @rishikakedia made their first contribution in #323 🎉
Full Changelog: v0.9.0...v0.10.0