This tutorial shows you a full end-to-end example on how to integrate a Vault Certificate Authority (CA) with a multicluster Istio — useful when you want to issue certificates for workloads in the mesh.
Native Istio Vault CA integration is no longer supported since the Istio 1.3 release. However, it is finally possible to do this by integrating Istio with the cert-manager issuer for Vault and cert-manager Istio-CSR agent.
High-level solution design
Setup steps:
1) Deploy Hashicorp Vault Cluster on Cloud Run
2) Create GKE Clusters
3) Connect GKE clusters with Vault Cluster on Cloud Run (External Vault)
4) Configure Vault PKI secrets engine
5) Deploy Cert Manager
6) Install Cert Manager istio-csr
7) Multicluster Istio installation
8) Deploy the HelloWorld application
9) Verifying Cross-Cluster Traffic & Workload Certificates
Tutorial Code
The step by step instructions, for this tutorial, can be found here:
https://github.com/palimarium/istio-vault-ca
Conclusion
Congratulations on completing this deep-dive implementation tutorial. You now have a secure Production-ready CA for provisioning certificates and keys for all your Istio workloads in the mesh.
References
- Implementation code — https://github.com/palimarium/istio-vault-ca
- Configure Vault as a Certificate Manager in Kubernetes- https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager
- Cert-manager Istio CSR — https://github.com/cert-manager/istio-csr