Blog

Multicluster Istio paired with Vault: How to do this?

1 lygwqvx2bvi1vzefwy5jea

This tutorial shows you a full end-to-end example on how to integrate a Vault Certificate Authority (CA) with a multicluster Istio — useful when you want to issue certificates for workloads in the mesh.

Native Istio Vault CA integration is no longer supported since the Istio 1.3 release. However, it is finally possible to do this by integrating Istio with the cert-manager issuer for Vault and cert-manager Istio-CSR agent.

High-level solution design

1 ugk awpjwrhnqfyh6uiczw

Setup steps:

1) Deploy Hashicorp Vault Cluster on Cloud Run
2) Create GKE Clusters
3) Connect GKE clusters with Vault Cluster on Cloud Run (External Vault)
4) Configure Vault PKI secrets engine
5) Deploy Cert Manager
6) Install Cert Manager istio-csr
7) Multicluster Istio installation
8) Deploy the HelloWorld application
9) Verifying Cross-Cluster Traffic & Workload Certificates

Tutorial Code

The step by step instructions, for this tutorial, can be found here:

https://github.com/palimarium/istio-vault-ca


Conclusion

Congratulations on completing this deep-dive implementation tutorial. You now have a secure Production-ready CA for provisioning certificates and keys for all your Istio workloads in the mesh.

References

  1. Implementation code — https://github.com/palimarium/istio-vault-ca
  2. Configure Vault as a Certificate Manager in Kubernetes- https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager
  3. Cert-manager Istio CSR — https://github.com/cert-manager/istio-csr

Subscribe to updates, news and more.

Related blogs