Skip to main content

Istio CSR


Root CA 발급

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned
  namespace: istio-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: istio-system
spec:
  isCA: true
  duration: 175200h # 20 years
  secretName: root-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  subject:
    organizations:
      - cluster.local
      - cert-manager
  dnsNames:
    - root-ca.loliot.net
  issuerRef:
    group: cert-manager.io
    kind: Issuer
    name: selfsigned
kubectl get -n istio-system secret root-ca -ogo-template='{{index .data "tls.key"}}' | base64 -d > root-ca.key
kubectl get -n istio-system secret root-ca -ogo-template='{{index .data "tls.crt"}}' | base64 -d > root-ca.crt
kubectl create secret generic -n istio-system istio-ca \
    --from-file=tls.key=root-ca.key \
    --from-file=tls.crt=root-ca.crt
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: istio-ca
  namespace: istio-system
spec:
  ca:
    secretName: istio-ca

Istio-CSR(Intermediate CA)

kubectl create secret generic -n auth istio-root-ca \
    --from-file=ca.pem=root-ca.crt
helm repo update jetstack \
&& helm search repo jetstack/cert-manager-istio-csr -l | head -n 10
helm show values jetstack/cert-manager-istio-csr \
    --version v0.7.1 \
    > cert-manager-istio-csr-values.yaml
cert-manager-istio-csr-values.yaml
app:
  certmanager:
    issuer:
      name: istio-ca

  tls:
    rootCAFile: /var/run/secrets/istio-csr/ca.pem

    certificateDNSNames:
      - cert-manager-istio-csr.auth.svc

    certificateDuration: 24h
    istiodCertificateDuration: 24h

  server:
    clusterID: "Kubernetes" # istiod.Values.global.multiCluster.clusterName
    maxCertificateDuration: 48h

  istio:
    revisions:
      - 1-20-2

volumes:
  - name: root-ca
    secret:
      secretName: istio-root-ca

volumeMounts:
  - name: root-ca
    mountPath: /var/run/secrets/istio-csr
    readOnly: true

tolerations: []
affinity: {}
helm template cert-manager-istio-csr jetstack/cert-manager-istio-csr \
    --version v0.7.1 \
    -n auth \
    -f cert-manager-istio-csr-values.yaml \
    > cert-manager-istio-csr.yaml
helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
    --install \
    --history-max 5 \
    --version v0.7.1 \
    -n auth \
    -f cert-manager-istio-csr-values.yaml

istiod

istiod-values.yaml
pilot:
  env:
    ENABLE_CA_SERVER: "false"

global:
  caAddress: cert-manager-istio-csr.auth.svc:443