istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.11.0 further enhances support for runtime configuration, enabling "pure" runtime configuration where istio-csr can be installed at the same time as cert-manager. It also enables client cert auth via a great contribution from @wtzhang23, which provides an alternative method for workloads to renew their certificates.
JSON logging is also added for the first time, with some caveats!
Feature Overview
Pure Runtime Configuration
istio-csr v0.10.0 added initial support for runtime configuration, allowing the issuer to be changed easily after istio-csr starts. That release still, in practice, needed an issuer to be configured before istio-csr was installed, in order to provision the istiod cert and for initial configuration of istio serving certs.
v0.11.0 adds "pure" runtime configuration, allowing istio-csr and cert-manager to be installed entirely concurrently. To achieve this, istio-csr gains the ability to dynamically provision an istiod cert, and now waits for issuer configuration before any attempts to issue serving certs.
An example of runtime-configured istio-csr would use the following values.yaml:
app:
runtimeIssuanceConfigMap: runtime-config-map
certmanager:
issuer:
# explicitly blank these values out, since they're defaulted
name: ""
kind: ""
group: ""
tls:
istiodCertificateEnable: "dynamic" # new in v0.11.0!Note that istio-csr pods won't report as "ready" until an issuer is configured, so a Helm install won't complete until you've created a ConfigMap specifying an issuer!
$ kubectl create configmap runtime-config-map -n cert-manager \
--from-literal=issuer-name=istio-ca \
--from-literal=issuer-kind=Issuer \
--from-literal=issuer-group=cert-manager.ioClient Cert Auth
Previously, workloads attempting to renew their serving certs with istio-csr were required to present their Kubernetes JWT for validatio. Istio (when used without istio-csr) allows for several auth methods, including client cert auth where the already-provisioned mTLS certificate can be used as auth.
Now, istio-csr has gained support for client cert auth, using the trusted CA bundle already supported in istio-csr. The functionality is behind a flag, and can be enabled with a Helm value: --set app.server.authenticators.enableClientCert=true.
JSON Logging
Thanks to the new logFormat Helm value, JSON logging can be enabled for istio-csr: --set app.logFormat=json.
JSON logs are now used by default in several istio-csr tests, and are very useful for parseable structured logs. The caveats are twofold:
- First, there's no guarantee that all output will be in JSON format. In testing, logging seemed to consistently in JSON but it's possible that there could be some text output
- Second, log formats are not currently consistent - different log lines may have different keys.
We'd appreciate contributions if anyone is willing to work on these caveats!
What's Changed
Runtime Configuration
- Add ability to dynamically configure istiod cert by @SgtCoDFish in #359
- Add retries for issuing initial serving cert by @SgtCoDFish in #364
JSON Logs
- Add flag to set log-format by @seankhliao in #354
- Test with JSON logs, improve logs aesthetics for JSON by @SgtCoDFish in #356
- Configure istio logging when JSON selected by @SgtCoDFish in #358
Other
- Disable kubernetes client side rate limiting by @seankhliao in #352
- Implement client cert auth by @wtzhang23 in #357
- Add topologySpreadConstraints to Helm chart by @SgtCoDFish in #365
- Helm updates for istiod cert by @SgtCoDFish in #355
- Add some release detail which appears to be missing by @SgtCoDFish in #366
New Contributors
- @seankhliao made their first contribution in #354
- @wtzhang23 made their first contribution in #357
Full Changelog: v0.10.0...v0.11.0