Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-1330

Allow specifying secret as pilot server cert when using CertificateAuthority: Custom

XMLWordPrintable

    • Sprint 50, Sprint 51, Sprint 52, Sprint 53, Sprint 54, Sprint 55, Sprint 56, Sprint 57, Sprint 58 - week 1

      Currently, we've exposed a Custom method which allows one to provide an external CA, at Jetstack we're making using of the istio-csr api to handle workload identity.

       

      In order for istio-csr to work we need to set the Ca Address, which we do like so:

       

      security:
         certificateAuthority:
         custom:
           address: cert-manager-istio-csr.openshift-operators.svc:443
         type: Custom

       

      This almost solves the problem, however the pilot server needs to have it's tls context to a cert generated by external CA (through --tlsCert and --TlsKey flags etc..) Currently we configure this by writing out a secret, which should be mounted and passed to the command args. This works correctly in the vanilla istio-operator on other platforms as well as Openshift.

       

      I have search through Maistra repo thoroughly (including the 2.1 branch) there is no way for us to inject this parameter through the operator it seems, such an override would be outside the parameters that are meant to be configured at present.

      Is there any mechanism we missed that allows us to achieve this goal at present?
      if not would it be possible to expose the setting of the tls context for pilot? we imagine that all CAs using istio-csr as a mechanism will have the exact same problem bootstrapping their Cas,  so this would be generally useful.

      One hint for a possibly elegant way of doing it is to have the controlPlane.Certprovider allow a "secret" method , which lets one secret secret name or something like that

      Apologies if this is not the best place to submit this feature request, thanks in advance!

        1. transform-secret.sh
          0.9 kB
          Houssem El Fekih

              jewertow@redhat.com Jacek Ewertowski
              spectralhiss Houssem El Fekih (Inactive)
              Praneeth Bajjuri
              Votes:
              4 Vote for this issue
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: