├── .gitignore ├── certs ├── root-cert.srl ├── root-ca.conf ├── root-cert.csr ├── root-cert.pem ├── istiod-cluster1 │ ├── root-cert.pem │ ├── ca-cert.pem │ ├── ca-key.pem │ └── cert-chain.pem ├── istiod-cluster2 │ ├── root-cert.pem │ ├── ca-cert.pem │ ├── ca-key.pem │ └── cert-chain.pem ├── root-key.pem └── README.md ├── output ├── k8sapi-cert1.pem ├── k8sapi-cert2.pem ├── istiod1.jwt ├── istiod2.jwt └── README.md ├── istio-sa.yml ├── cluster1-values.yaml ├── cluster2-values.yaml ├── certs-gen ├── README.md ├── Makefile.selfsigned.mk ├── common.mk └── Makefile.k8s.mk ├── kubecfg1.yml ├── kubecfg2.yml ├── local-setup.md ├── docker-compose.yml └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode 2 | -------------------------------------------------------------------------------- /certs/root-cert.srl: -------------------------------------------------------------------------------- 1 | DEDF298A147681D7 2 | -------------------------------------------------------------------------------- /certs/root-ca.conf: -------------------------------------------------------------------------------- 1 | [ req ] 2 | encrypt_key = no 3 | prompt = no 4 | utf8 = yes 5 | default_md = sha256 6 | default_bits = 4096 7 | req_extensions = req_ext 8 | x509_extensions = req_ext 9 | distinguished_name = req_dn 10 | [ req_ext ] 11 | subjectKeyIdentifier = hash 12 | basicConstraints = critical, CA:true 13 | keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign 14 | [ req_dn ] 15 | O = Istio 16 | CN = Root CA 17 | -------------------------------------------------------------------------------- /output/k8sapi-cert1.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBdjCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy 3 | dmVyLWNhQDE2Njg3NjU1MjkwHhcNMjIxMTE4MDk1ODQ5WhcNMzIxMTE1MDk1ODQ5 4 | WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2Njg3NjU1MjkwWTATBgcqhkjO 5 | PQIBBggqhkjOPQMBBwNCAASpoWhvoMuEzYTGWRCrur49dZzlD5tjD3XSP8XU+Lq1 6 | R36814rhSiEOyfuRKhZhdchszm0BffM0lN7E/3/Lo727o0IwQDAOBgNVHQ8BAf8E 7 | BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgJSX2RzFBOUpwP5gi/jO 8 | h1sJLXEwCgYIKoZIzj0EAwIDRwAwRAIgOWVPnPTLBaADZNYqJsOimJv1BUQWendz 9 | CAhLA2drjTACIDFj6z9Ir2LX+3236GOHDY7oUUtOlWJavDyRzM1bOfdy 10 | -----END CERTIFICATE----- 11 | -------------------------------------------------------------------------------- /output/k8sapi-cert2.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBdjCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy 3 | dmVyLWNhQDE2Njg3NjU1MjkwHhcNMjIxMTE4MDk1ODQ5WhcNMzIxMTE1MDk1ODQ5 4 | WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2Njg3NjU1MjkwWTATBgcqhkjO 5 | PQIBBggqhkjOPQMBBwNCAAQp1kdGbFDCaxEljJgq+GHOi7Yeoa36vunHMavG1Yes 6 | /rfkI/Qrg+WHzvbp3+xqxIPnqY9usJd7E2qU+1G0v5Qfo0IwQDAOBgNVHQ8BAf8E 7 | BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUBUWvPz5co9g4JODKgbd1 8 | if3p2+wwCgYIKoZIzj0EAwIDRwAwRAIgPwzxQ2e8lzgRHSIgoC6useFlEWM/EQ2b 9 | 0frbp6gv7mICIC4hOsLQThLYaOYkSzE/LXAX3woa0sWw3FA2S6NHLzBH 10 | -----END CERTIFICATE----- 11 | -------------------------------------------------------------------------------- /output/istiod1.jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJSUzI1NiIsImtpZCI6Imd4OHVMUzhkZlRGSG42YlhvNC1zYjZWX0czbzhIZVR5R1lOWmkyNTd4bUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJpc3Rpby1zeXN0ZW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaXN0aW9kIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImlzdGlvZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjFlZGNiZGM1LWI1YTItNDRmYS1hODZkLTNkNGQzODRlN2FlMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDppc3Rpby1zeXN0ZW06aXN0aW9kIn0.JdWuEmlKPODouzS14xmq3JzGDWSOnnXBuiPDiv47fFOELUuzZ5QUZX1jbLRtEF6G86UnXFgB4ApzDyHQg2Ax--0HVGwilA80SxPN5wnpM0GG55RqVA9zjD30PBoUXHKvqVuYSeWGBQ0sP-sIEGd0JeoRLwUq6h1KPKIeo4SMIQJv_ENbUlSsGa62YhVYO0xISOrmJgIc8wnwwZqN442hYcjLdoPozCvoQwdAA0kVAhlS4vckJFgvnSq2W4b2izLku_tI9p8xqAD9Hwp7_WqAgWYiPaqQnGpJW0zEXDMLvvhDmvFid4w4jX43-7ehlPSJshXPFal8ZGjF3rmDilvFyA -------------------------------------------------------------------------------- /output/istiod2.jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJSUzI1NiIsImtpZCI6ImdyRnpmb0c5Rm5lemFhSUVsVmVtbkRiTVZBNjVKM3NBYTBTV1VaRWRRZnMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJpc3Rpby1zeXN0ZW0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiaXN0aW9kIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImlzdGlvZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImE5OWY3OTJkLTg5MTgtNDA3Ny1hODQ1LTE1YWMxM2QwMThiZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDppc3Rpby1zeXN0ZW06aXN0aW9kIn0.RqFXhZAhYtCKo0LJcbkUFavNaLP0nKa1JehQgGF3G0sR8XsIQIrYLfOPTTZufDEExTiQiRNttDVu5jfF2QdkEgpQj8r8CMNif9aSo2f6GO5DJtSKWijJLlwm2wT_CwRqHDYBa08OqGYgsp2C9VN602Srz_4EEBXuopSp2cGPVTidclUBT3-0fWT-S4c6p4xLa_jidCrCqx0Eb7G9-n0VLp3I17bEkrVomUB_0cnHr3rDfs1BulZrQkWeAiRj5ZLW8PuNw7TRJ9xPtLzaK8e5SXRlAc6fh4__w6AgmnytQqU8QDD9CxFysCYg8584tQS07bwTz_KUCIOFIccQGZNxIg -------------------------------------------------------------------------------- /istio-sa.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: istiod 6 | namespace: istio-system 7 | labels: 8 | app: istiod 9 | app.kubernetes.io/managed-by: Helm 10 | release: istio-istiod 11 | annotations: 12 | meta.helm.sh/release-name: istio-istiod 13 | meta.helm.sh/release-namespace: istio-system 14 | --- 15 | apiVersion: v1 16 | kind: Secret 17 | metadata: 18 | name: istiod 19 | namespace: istio-system 20 | annotations: 21 | kubernetes.io/service-account.name: istiod 22 | type: kubernetes.io/service-account-token 23 | --- 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | kind: ClusterRoleBinding 26 | metadata: 27 | name: role-tokenreview-binding 28 | roleRef: 29 | apiGroup: rbac.authorization.k8s.io 30 | kind: ClusterRole 31 | name: system:auth-delegator 32 | subjects: 33 | - kind: ServiceAccount 34 | name: istiod 35 | namespace: istio-system 36 | -------------------------------------------------------------------------------- /cluster1-values.yaml: -------------------------------------------------------------------------------- 1 | pilot: 2 | env: 3 | ROOT_CA_DIR: /vault/secrets 4 | podAnnotations: 5 | vault.hashicorp.com/agent-inject: "true" 6 | vault.hashicorp.com/agent-init-first: "true" 7 | vault.hashicorp.com/agent-inject-secret-ca-key.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 8 | vault.hashicorp.com/agent-inject-template-ca-key.pem: | 9 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 10 | {{ .Data.ca_key }} 11 | {{ end -}} 12 | vault.hashicorp.com/agent-inject-secret-ca-cert.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 13 | vault.hashicorp.com/agent-inject-template-ca-cert.pem: | 14 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 15 | {{ .Data.ca_cert }} 16 | {{ end -}} 17 | vault.hashicorp.com/agent-inject-secret-root-cert.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 18 | vault.hashicorp.com/agent-inject-template-root-cert.pem: | 19 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 20 | {{ .Data.root_cert }} 21 | {{ end -}} 22 | vault.hashicorp.com/agent-inject-secret-cert-chain.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 23 | vault.hashicorp.com/agent-inject-template-cert-chain.pem: | 24 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 25 | {{ .Data.cert_chain }} 26 | {{ end -}} 27 | vault.hashicorp.com/role: "istiod" 28 | vault.hashicorp.com/auth-path: "auth/kubernetes-cluster1" 29 | -------------------------------------------------------------------------------- /cluster2-values.yaml: -------------------------------------------------------------------------------- 1 | pilot: 2 | env: 3 | ROOT_CA_DIR: /vault/secrets 4 | podAnnotations: 5 | vault.hashicorp.com/agent-inject: "true" 6 | vault.hashicorp.com/agent-init-first: "true" 7 | vault.hashicorp.com/agent-inject-secret-ca-key.pem: "kubernetes-cluster2-secrets/istiod-service/certs" 8 | vault.hashicorp.com/agent-inject-template-ca-key.pem: | 9 | {{- with secret "kubernetes-cluster2-secrets/istiod-service/certs" -}} 10 | {{ .Data.ca_key }} 11 | {{ end -}} 12 | vault.hashicorp.com/agent-inject-secret-ca-cert.pem: "kubernetes-cluster2-secrets/istiod-service/certs" 13 | vault.hashicorp.com/agent-inject-template-ca-cert.pem: | 14 | {{- with secret "kubernetes-cluster2-secrets/istiod-service/certs" -}} 15 | {{ .Data.ca_cert }} 16 | {{ end -}} 17 | vault.hashicorp.com/agent-inject-secret-root-cert.pem: "kubernetes-cluster2-secrets/istiod-service/certs" 18 | vault.hashicorp.com/agent-inject-template-root-cert.pem: | 19 | {{- with secret "kubernetes-cluster2-secrets/istiod-service/certs" -}} 20 | {{ .Data.root_cert }} 21 | {{ end -}} 22 | vault.hashicorp.com/agent-inject-secret-cert-chain.pem: "kubernetes-cluster2-secrets/istiod-service/certs" 23 | vault.hashicorp.com/agent-inject-template-cert-chain.pem: | 24 | {{- with secret "kubernetes-cluster2-secrets/istiod-service/certs" -}} 25 | {{ .Data.cert_chain }} 26 | {{ end -}} 27 | vault.hashicorp.com/role: "istiod" 28 | vault.hashicorp.com/auth-path: "auth/kubernetes-cluster2" 29 | -------------------------------------------------------------------------------- /certs/root-cert.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIIEuDCCAqACAQAwIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 3 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw 4 | tQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV 5 | yMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+ 6 | 9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va 7 | inK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM 8 | fsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI 9 | IGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062 10 | B1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6 11 | /WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG 12 | /KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS 13 | v+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5 14 | OC6Y7eWo3D1UQWGNlvkkwQIDAQABoFEwTwYJKoZIhvcNAQkOMUIwQDAdBgNVHQ4E 15 | FgQUf19JeG8G9jDhTa4lWDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B 16 | Af8EBAMCAuQwDQYJKoZIhvcNAQELBQADggIBALcyc2CPpSgwNgRRHu50hMrv+3Pa 17 | K86d7lkKzVYbnLtUaJH5gBu7Q1MKFJKo0YgJkADKLg6H7SLc9kuwPy22ex4iq/T9 18 | kU4pdxWUSbzLNyTJ8BV598NttyLkHRsDr1qEhYWH21apuOhJke4z/lQnljMqS5dV 19 | 5e7Tbz1BsSwLlBdJwj74ChOOXBBKvv+fVs1OAtpW67Q+FJMV9YCYTqZuLf/3TRs+ 20 | L75KG+qxC+nQkGIijJfYxDmkLTFWSqXo/haxjwuXrLe8SSJFgs5XRI2ezEHN5TSt 21 | ufknYJj6fpB+LKBDL/wSrL70nHrEiJO36UAG1b06UkVDkjMVlM0k7/vbOLwvicGw 22 | Jlrx3vCKnTqOxGGlCThXKmvzMdf0NCwiH1DtpuZr/IPXukohau1+vb25ho47dUOG 23 | gDCZWcuLdiD+zGjeWzFbZI17rtqOlreyCGsXPaNMz99h3zqOcfRPF4O3xrqGcwV6 24 | K+9uCRdhEdVj0WEOrwM2eEFNbpYec4Cg9ynmwWu0RcCOafOEP3dw6TeH7UbJu1b5 25 | lfCwtX81QA3D1+JriOTLc+N+1awhGQpX/IRrzGZ0BXO304cP2S9ox2hp0Mis+HNY 26 | TuvTVODVwEV47kpHvjOgpWS/wym1OXj5+Og/83qZXXW/kvHDRFxTQTBr34jM/fJz 27 | aVZfTCkkdmB+vcUY 28 | -----END CERTIFICATE REQUEST----- 29 | -------------------------------------------------------------------------------- /certs/root-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy 4 | MTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 5 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw 6 | tQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV 7 | yMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+ 8 | 9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va 9 | inK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM 10 | fsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI 11 | IGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062 12 | B1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6 13 | /WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG 14 | /KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS 15 | v+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5 16 | OC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l 17 | WDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI 18 | hvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx 19 | qGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ 20 | ZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs 21 | YDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K 22 | Vsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd 23 | pFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP 24 | 4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR 25 | E49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U 26 | YpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ 27 | lUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU 28 | cO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6 29 | -----END CERTIFICATE----- 30 | -------------------------------------------------------------------------------- /certs-gen/README.md: -------------------------------------------------------------------------------- 1 | # Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust 2 | 3 | The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: 4 | - `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default 5 | `kubeconfig` is used for accessing the cluster. 6 | - `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. 7 | 8 | The table below describes the targets supported by both Makefiles. 9 | 10 | Make Target | Makefile | Description 11 | ------ | -------- | ----------- 12 | `root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. 13 | `fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. 14 | `$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. 15 | `$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. 16 | `clean` | Both | Removes any generated root certificates, keys, and intermediate files. 17 | 18 | For example: 19 | 20 | ```bash 21 | make -f Makefile.selfsigned.mk root-ca 22 | ``` 23 | 24 | Note that the Makefile generates long-lived intermediate certificates. While this might be 25 | acceptable for demonstration purposes, a more realistic and secure deployment would use 26 | short-lived and automatically renewed certificates for the intermediate CAs. 27 | -------------------------------------------------------------------------------- /certs/istiod-cluster1/root-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy 4 | MTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 5 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw 6 | tQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV 7 | yMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+ 8 | 9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va 9 | inK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM 10 | fsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI 11 | IGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062 12 | B1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6 13 | /WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG 14 | /KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS 15 | v+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5 16 | OC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l 17 | WDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI 18 | hvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx 19 | qGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ 20 | ZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs 21 | YDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K 22 | Vsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd 23 | pFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP 24 | 4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR 25 | E49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U 26 | YpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ 27 | lUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU 28 | cO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6 29 | -----END CERTIFICATE----- 30 | -------------------------------------------------------------------------------- /certs/istiod-cluster2/root-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy 4 | MTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 5 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw 6 | tQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV 7 | yMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+ 8 | 9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va 9 | inK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM 10 | fsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI 11 | IGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062 12 | B1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6 13 | /WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG 14 | /KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS 15 | v+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5 16 | OC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l 17 | WDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI 18 | hvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx 19 | qGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ 20 | ZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs 21 | YDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K 22 | Vsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd 23 | pFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP 24 | 4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR 25 | E49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U 26 | YpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ 27 | lUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU 28 | cO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6 29 | -----END CERTIFICATE----- 30 | -------------------------------------------------------------------------------- /certs/istiod-cluster1/ca-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUjCCAzqgAwIBAgIJAN7fKYoUdoHWMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1NFoXDTI0 4 | MTExNjIyMDE1NFowRDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk 5 | aWF0ZSBDQTEYMBYGA1UEBwwPaXN0aW9kLWNsdXN0ZXIxMIICIjANBgkqhkiG9w0B 6 | AQEFAAOCAg8AMIICCgKCAgEA0de2Lr+DhI0HlEcl6uDrJonpUttReh57ntNNLA4A 7 | H+7lb6LexQtw+byDQwlv4zId8yJ3nN5VntX5RLAlCAyOR1EPIkCYt2vnsK2lrp2P 8 | zJdETwjisDrBFmQHL3pl9iEU9fNru5+3ViPQEtCjyQsWEiuJHO5+ZWsRz7AeuN4I 9 | h4k41hahDRw9kNJTHngxxRoGAffsYQbuj6e8GLH0sBWp+D7SN7UBcoVFQr/Ui0fa 10 | 66V+4ASGPVvijgTw0jRL1t7e0VguGX491M0gUUXf1TWfPqezct2bQTAb8+gwe2zf 11 | YpXVrcGEMSZmk7oBs+AJQlsq61eorKSX8FeOp+/Rz6/FN77bV51fqZ/tQiF4jJ7p 12 | h2lTz6upX/nO47N+QRsMRapEHsXReY0W3VS/WthbKhkNXvQw5MrZ4xg6QSVgRA4a 13 | sU23ZJ1KuUKgT2XsA/hL5L13kg8aa64y9azKSc2VHQe/N87MIhvzE1UD+Vn4928p 14 | 9Oebq6+EiKBoAiUUG4OgssGOrL1YxU6X03yVwCFBAJdCfx+wjOE55MZonXxafbL2 15 | 8yYNPEjWYiQZNrWuDnePCb5kS1XIoG7DZ7ta+WNutE+59pIyG6ECPZ7xJLYBquTa 16 | 86hyKz59VdYVqAUYj+TYF81U3MWJCf1LSWEbe2Gg2Giy3dgaOCwifwXsFHn9WcSG 17 | PQkCAwEAAaNpMGcwHQYDVR0OBBYEFIUXcQuj9KKILV23iNGtPOTUmphDMBIGA1Ud 18 | EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmCF2lzdGlv 19 | ZC5pc3Rpby1zeXN0ZW0uc3ZjMA0GCSqGSIb3DQEBCwUAA4ICAQC9Va6PpBpYji3A 20 | kscmFUjjR8Yi8HgCwLZgs6toy8RGMejM4ANsB22Kl/cYQx9YNODTTxd3GOqAPglB 21 | L2iqYP0+qJWU+h8u4n2Bgaz77DKmiIhKBhozeSUGltzFFK93zFwMhVEvlTOfwhgb 22 | 2xS1iAAAGFvPYeJSRNwfTz59mFmIYErbjWIl+3pxjen0YD5AOntW+SkpJBfz7jqf 23 | pvDEja1uP60kjSdqy4ppj6Dlo6/AwQpM2hbn1riD0MRcE56c0SNfuygfCpj/o2iu 24 | mmYHGPgoiN8MXM99GyJnQ3CZhl3MHlxZ2Uy7zln6h1OR8abLtyJjueu/7qbQi/+t 25 | Jg8B4jg3ofZ4+Te+b+nmiJ06FQ2VpQSigpGTQQbsfkEM9Nio5+TaULLXyaazizD6 26 | YG1uIgxT14zRLkAcc+asT941qobHbshcqabqJQ3jeIeMAENBSTwtaQaY4HupCqGz 27 | Ukca0gimyNa4U84CRzB6qkRA2Qu8mK4HggbzmzMLCIuCg2hALNw/HCZoN5lnT6ja 28 | biTqljc00xswAlxKfmNtyUFd/Obsm5kdMG1Fc/gDwqeQoauzs2lO/ZJa8+AulJ3f 29 | Py9b7HnuhVI513gfjC/rueZiLWiz9SHToCZ1OEBhQ0+Gn1X1fCcb2/npDHrQ3WUJ 30 | 1mNnbjvxR/Wi2cn30cQeb7BXEUCeWA== 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /certs/istiod-cluster2/ca-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUjCCAzqgAwIBAgIJAN7fKYoUdoHXMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1NVoXDTI0 4 | MTExNjIyMDE1NVowRDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk 5 | aWF0ZSBDQTEYMBYGA1UEBwwPaXN0aW9kLWNsdXN0ZXIyMIICIjANBgkqhkiG9w0B 6 | AQEFAAOCAg8AMIICCgKCAgEAoksdEGIeBIV3AQfT1A0excQIsiRLQNLhX9cV++hu 7 | Xdgjjwtg85zHnObdHX9Zpd/98bwU/snM5rXSXP1xsrq1G/J5/lk/HRIfwRysyoAa 8 | PTvdysVvX+ogL/t75gbVzVqlELplc3cJZXgR6vlscKd65GHAamvx6KC3CFnkwYsN 9 | kW63cxG3Q8IznEe2SarHZ2Ru7KMcMghJldSTl32AOMxUR0Np9wBIGo1xNn/SG61q 10 | SsfYPQuxiKWW5pZnnbbH89QHSAkoPeipRLdmVDYk/aj8kH/znqg3R0M9qgVRz/CQ 11 | aLSom4nI/m48MGrArm8uKVoB2EdGDFapRn/XgTgblHaEsxJUxSIGaUIIGYh7lo7J 12 | pxUT9W3gL35du3gugEhp89OHmwPc0RQ4oWGRL8voJFFaKZDJ8uOjuGCRE37aO6Gf 13 | MkeEYbdeRZvtNzCxLlJGmgio48Ss9xVCGh7CoqkjxGWQpeiC5jgL1I+YTpk5UOYJ 14 | 1wmMfQ4iF/WUQHyOwjzkluGSJJQLaL0XnyTq5qzoxRYYj7X5TEO1/A+L6pCcXwYM 15 | KnefYn1yjasKGVWcy4aS4ZbSM3Vor7KbQ4IeXLomq4zPxa+Qn/4XH162544QeauJ 16 | cTaRbuHytRZ7JNIKiXSF6EqDIhWXC4j5mtp4Ve9xTZrlj+BPFn0MUnpZ9HkifYF9 17 | xnsCAwEAAaNpMGcwHQYDVR0OBBYEFFRWmh8dkO0Tvy++maYsLhuRPhW+MBIGA1Ud 18 | EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmCF2lzdGlv 19 | ZC5pc3Rpby1zeXN0ZW0uc3ZjMA0GCSqGSIb3DQEBCwUAA4ICAQDOhvPHFP9DGg+O 20 | DpTLLtmVoCEEjCZiZwdnLSDqIivzRUO1PrzHepoMMMAyJwYeU9RfAy11a3giBLtP 21 | UgP4aEkLKxY6j9MaE/VHULTuHd0SNG4vGibdoCZNLDvhYvbXHqS7ZbUGBcsGGWpS 22 | dD2ym23vCT6Lx9oC8HLI492qOHP6zcUgSIiXsvObInYwZOifjxVPxkYbBo5IXKb8 23 | paqNwLMQTUjzpeROUTSA0YFhT7K1HRsGuGhT656j0zNfLQIwYb2dAYWQHg3qHOpd 24 | H/VJzWkpuCDMAimJ9sK7RS93TBxQlT+LLqrKHA5Ep7GmDypJIrlFaqxP/X8nBUmz 25 | /jsZ+p2bAXEsppB2lp/e09IC+nB9hGhFwtYQdFCzkOdTK+9+THIoNdZIHGXftTbX 26 | D7XBHQM8gbpwEWnhLl3BxWzRA0ce5zdadtliJzYWqAwW/yjz9mcmbYmBROE4NlUO 27 | hWLlrdNMYKanJ9QXfloQAbf5dBZ4pw8GOtKz/IEdIys1ebUPgzwZS78aHh4Hxf40 28 | 7hNw2RlVfz2Q8O5Ea44AkGDz81TxB8Zv+uL3nbFJgKH2mYBFg+LbvqW3gsGkfmOT 29 | S6zHL2EdiXavc9kd1udz4VZeyD6c2p3QLcG+Vyz+XYrER+E6hGdgdNEVL5lKXCts 30 | nAubT8cEdbYU7ngNAxuIvUh+2NfjUA== 31 | -----END CERTIFICATE----- 32 | -------------------------------------------------------------------------------- /kubecfg1.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | clusters: 3 | - cluster: 4 | certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyTmpnM05qVTFNamt3SGhjTk1qSXhNVEU0TURrMU9EUTVXaGNOTXpJeE1URTFNRGsxT0RRNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyTmpnM05qVTFNamt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTcG9XaHZvTXVFellUR1dSQ3J1cjQ5ZFp6bEQ1dGpEM1hTUDhYVStMcTEKUjM2ODE0cmhTaUVPeWZ1UktoWmhkY2hzem0wQmZmTTBsTjdFLzMvTG83MjdvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWdKU1gyUnpGQk9VcHdQNWdpL2pPCmgxc0pMWEV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnT1dWUG5QVExCYUFEWk5ZcUpzT2ltSnYxQlVRV2VuZHoKQ0FoTEEyZHJqVEFDSURGajZ6OUlyMkxYKzMyMzZHT0hEWTdvVVV0T2xXSmF2RHlSek0xYk9mZHkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 5 | server: https://127.0.0.1:16443 6 | name: default 7 | contexts: 8 | - context: 9 | cluster: default 10 | user: default 11 | name: default 12 | current-context: default 13 | kind: Config 14 | preferences: {} 15 | users: 16 | - name: default 17 | user: 18 | client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJYVNQV1AxTkRrcUV3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOalk0TnpZMU5USTVNQjRYRFRJeU1URXhPREE1TlRnME9Wb1hEVEl6TVRFeApPREE1TlRnME9Wb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJHdGpqcGVFRTlYUmtYdFEKT29LbnhkdjQ2M1pOcHFSZXp3Zk5seVRnY3hQaDRUdEdKSXplS3FZaUtrQlRSNHhMbWl2OTI4dEFuWkExSVVXWApKOUh4YnNPalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCVEVGQ0N0ZFNUaWNlYjE1MlUxL2VWc3B3RkhlREFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlBTXBEWkVtbWlIWnFiUDR3UkIxb1J1NHEvL0plS25Qc3ZPRnFCQ1AwVytDQUloQUk3dHJDRmRJTDVVV2M5UApSemRCOGNwVWpKRVl5S2Jha1hjcUk5WkdrQ3lZCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUyTmpnM05qVTFNamt3SGhjTk1qSXhNVEU0TURrMU9EUTVXaGNOTXpJeE1URTFNRGsxT0RRNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUyTmpnM05qVTFNamt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUdXFQdk9FaVdCdE5PZnN3N1JBQ2dka2pEcDI3dGxlRFF4U3p2Uk5TTGsKSTlYTktPNm1QUzRXVmJPUzQwZ2VEYnhYRnF1TmJOT1NYMmpKZ0NWMnFkN3RvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXhCUWdyWFVrNG5IbTllZGxOZjNsCmJLY0JSM2d3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnRXVIUjE3N1RiMXVXZVZVTENETHNnK2NFT200OHBRTnQKY05rVll4aUx4VDBDSUQ1Ykt3Q0VOVnhnT0tWWTQrUzdVOXZqKzl4SUxsVTQxQWRCVDRObXR4M3AKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 19 | client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURPTG9GLzF1SVVZWmViUmlBekZEK1JQYXZpa1lHSVNvazJSWjJONGtKQWxvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYTJPT2w0UVQxZEdSZTFBNmdxZkYyL2pyZGsybXBGN1BCODJYSk9CekUrSGhPMFlrak40cQpwaUlxUUZOSGpFdWFLLzNieTBDZGtEVWhSWmNuMGZGdXd3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= 20 | -------------------------------------------------------------------------------- /kubecfg2.yml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | clusters: 3 | - cluster: 4 | certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyTmpnM05qVTFNamt3SGhjTk1qSXhNVEU0TURrMU9EUTVXaGNOTXpJeE1URTFNRGsxT0RRNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyTmpnM05qVTFNamt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRcDFrZEdiRkRDYXhFbGpKZ3ErR0hPaTdZZW9hMzZ2dW5ITWF2RzFZZXMKL3Jma0kvUXJnK1dIenZicDMreHF4SVBucVk5dXNKZDdFMnFVKzFHMHY1UWZvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVUJVV3ZQejVjbzlnNEpPREtnYmQxCmlmM3AyK3d3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnUHd6eFEyZThsemdSSFNJZ29DNnVzZUZsRVdNL0VRMmIKMGZyYnA2Z3Y3bUlDSUM0aE9zTFFUaExZYU9Za1N6RS9MWEFYM3dvYTBzV3czRkEyUzZOSEx6QkgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 5 | server: https://127.0.0.1:26443 6 | name: default 7 | contexts: 8 | - context: 9 | cluster: default 10 | user: default 11 | name: default 12 | current-context: default 13 | kind: Config 14 | preferences: {} 15 | users: 16 | - name: default 17 | user: 18 | client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJTk14ZUkrMkFGdjR3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOalk0TnpZMU5USTVNQjRYRFRJeU1URXhPREE1TlRnME9Wb1hEVEl6TVRFeApPREE1TlRnME9Wb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJEcHZUVkg4ZmRQRUN1TVAKRUdJSWc2bnErRnluWDMwRmdhaGQ1eGpzRXVuUDBtQityTDFxTks4RlBVWXRNRnFHZUJmRThqSTExakxVZk1UVApDL2lQT1dPalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUit2VjE1Y0pWcWFpaThSSW9CdkFsN29mekcxekFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlBTGRvaEg0SkZQNUh2c0xXeVFaeWJxMzhucDErWEdrUDhIOTVnK0dNVDlUd0loQU5ld1Fmem9MUlR5NkVCZAovby9EdHZHQi9uVitHbkE5UlM5ZGtQR0M2bGlKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUyTmpnM05qVTFNamt3SGhjTk1qSXhNVEU0TURrMU9EUTVXaGNOTXpJeE1URTFNRGsxT0RRNQpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUyTmpnM05qVTFNamt3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRTFExSzNjMnRYSDF0dG5JU1lPNTR6QmFyb3BqVnRuaGZJZi9qeDg3eisKV1NUbnNWNWMxRVZ2VGh0ZUFmeU5WQzcvZW1EcFRVYWNRY3pVd0VqSTJsdGdvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWZyMWRlWENWYW1vb3ZFU0tBYndKCmU2SDh4dGN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQU9peHpTN2QzbkV1bnJjVnRleVVoZHFZYVpxQnBZZ2oKV3QzblZQWGgxTHZYQWlBRUJTT1lGVHppMXNLaFd0RjkxOGl5dzJJR2phWmUxYmVkZ1I2TTZuSnFydz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K 19 | client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUp3bnRFSUkrUUcrVFgxZ2hYbUx1UlJKcStHYTI4c2dyenMzUHFIcmdBeXRvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFT205TlVmeDkwOFFLNHc4UVlnaURxZXI0WEtkZmZRV0JxRjNuR093UzZjL1NZSDZzdldvMApyd1U5Umkwd1dvWjRGOFR5TWpYV010Ujh4Tk1MK0k4NVl3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= 20 | -------------------------------------------------------------------------------- /local-setup.md: -------------------------------------------------------------------------------- 1 | # Local Setup 2 | 3 | We have provided a full `docker-compose` environment containing two kubernetes clusters (based on [Rancher K3s](https://docs.k3s.io)) and a vault instance. In order to spin up this local demo environment, issue the following commands. 4 | 5 | ```console 6 | docker-compose up -d 7 | ``` 8 | ``` 9 | [+] Running 8/8 10 | 11 | ⠿ Network demo Created 12 | ⠿ Volume "k3s-server-1" Created 13 | ⠿ Volume "k3s-server-2" Created 14 | ⠿ Container k3s-server-2 Started 15 | ⠿ Container k3s-server-1 Started 16 | ⠿ Container vault Started 17 | ⠿ Container k3s-agent-1a Started 18 | ⠿ Container k3s-agent-2a Started 19 | ``` 20 | 21 | Check the cluster status by using the corresponding `kubecfg1.yml` and `kubecfg2.yml` files. These files are created during the bootstrap process of the k3s servers and mounted into the present working directory. Verify if the nodes and pods are correctly started. 22 | 23 | ```console 24 | kubectl --kubeconfig kubecfg1.yml get nodes -A 25 | kubectl --kubeconfig kubecfg1.yml get pods -A 26 | 27 | kubectl --kubeconfig kubecfg2.yml get nodes -A 28 | kubectl --kubeconfig kubecfg2.yml get pods -A 29 | ``` 30 | 31 | ```console 32 | NAME STATUS ROLES AGE VERSION 33 | 100fbe327353 Ready control-plane,master 21s v1.24.7+k3s1 34 | d3401f675eaf Ready 18s v1.24.7+k3s1 35 | 36 | NAMESPACE NAME READY STATUS RESTARTS AGE 37 | kube-system local-path-provisioner-7b7dc8d6f5-92wnv 1/1 Running 0 12s 38 | kube-system coredns-b96499967-flvwc 1/1 Running 0 12s 39 | ``` 40 | 41 | Store the vault and kubernetes API server endpoints in a shell environment variable for further use. 42 | 43 | ```console 44 | export VAULT_SERVER=http://`docker inspect --format "{{ .NetworkSettings.Networks.demo.IPAddress }}" vault`:8200 45 | export K8S_API_SERVER_1=https://`docker inspect --format "{{ .NetworkSettings.Networks.demo.IPAddress }}" k3s-server-1`:16443 46 | export K8S_API_SERVER_2=https://`docker inspect --format "{{ .NetworkSettings.Networks.demo.IPAddress }}" k3s-server-2`:26443 47 | 48 | echo "VAULT_SERVER=$VAULT_SERVER" 49 | echo "K8S_API_SERVER_1=$K8S_API_SERVER_1" 50 | echo "K8S_API_SERVER_2=$K8S_API_SERVER_2" 51 | ``` 52 | 53 | ``` 54 | VAULT_SERVER=http://172.18.0.4:8200 55 | K8S_API_SERVER_1=https://172.18.0.2:16443 56 | K8S_API_SERVER_2=https://172.18.0.3:26443 57 | ``` 58 | 59 | > **NOTE:** The root token to login to the vault UI is hard-coded to `root` within `docker-compose.yml`. 60 | 61 | 62 |
63 | 64 | ## Cleanup 65 | 66 | In order to bring down the demo environment, including the named volumes. 67 | 68 | ```console 69 | docker-compose down -v 70 | ``` 71 | ``` 72 | [+] Running 8/8 73 | ⠿ Container k3s-agent-1a Removed 74 | ⠿ Container k3s-agent-2a Removed 75 | ⠿ Container vault Removed 76 | ⠿ Container k3s-server-1 Removed 77 | ⠿ Container k3s-server-2 Removed 78 | ⠿ Volume k3s-server-1 Removed 79 | ⠿ Volume k3s-server-2 Removed 80 | ⠿ Network demo Removed 81 | ``` 82 | -------------------------------------------------------------------------------- /certs/root-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIJKgIBAAKCAgEA0s3ilFWGnfaxMTYrP7n4cLUB3fT/EhLqvQwTSQcX6NsEbekM 3 | grCyHpAox9BiDy6d1Fo9N4vSQ2rjxV1rzK0E1cjBvbIxJob1JSBgHusPuHy75Yy0 4 | pi0Hlk1YEFMYg5O2zNjgt/nvrMThqCgzBOXafvaHe2LhDpnOVpzRd7BahJH9hPig 5 | dRUIPz6copQSUp2C1xmrG9zliRNNxDo/pgvL2opytLuscPNX3K5Q7gR3od5ngfLn 6 | e6L2PmQD6oUVlGOHc9wrhlzeT1gh2lEgza8yjH7B53pvF5xvuVrODoPW2r5Sl3+0 7 | ryZaS65+mNVwt5HRYlqBuCn9awGAAogUx9uByCBqy5RlzAbRJDDv0Y7FeJEiapHU 8 | pHq8r1Z2WiOZxl8sbzXVM5pjN6qm0utmkANOtgdRriDOPQwe8ZmuS7ntakcQaKTi 9 | VRps3DSg6Wffh4opEXkv35dAOmfkpN7G5dlT+v1m6Wey7rkmZJMwG7Pj4LJpELto 10 | RiJP/wMPMQUqiTeSvZUAawXyn5MlXTyu1pFDRvyopxDJloEPSx8103Xic7w92lem 11 | c9QQVVoGhZ8u8RGyIPPuOmOfKCD366rbJnfbUr/jpMiYw7wK1YuBKxu9gK4omNcy 12 | tTHpi0nJxilkJsAk+mNX6B95xaiXJ0n1M4AoeTgumO3lqNw9VEFhjZb5JMECAwEA 13 | AQKCAgEAlKaGbl9ZDC8XiEJQgSGc5a1eYawP6ijYyvKm7spHu/Yly3OZVNdQ42h4 14 | uV5ip54RwdrYbED2xn+rmlNkXvJrBG4K4L+1FRv55nJMFcFgVpHu1dJA2SXLwdtM 15 | jEZsdOxG7XDKFjHzJvu2vKOMRpnnV7x0kTeKyIcBD+aJd0MusWlZQtkoHSf1ptN6 16 | FNMhkIxt5Uy+cml0mxK3tfX1SBvtZnBWrsfgs82FWaK6gv03dzej+ejV/0NNLXXN 17 | pSSvsPH2ZGcPcjIuufjF9nNbFG/Ez3nbNmYJzLaNukEkKOwjKCEpkJeHTDNZXSDx 18 | OMjaMThsVFTKQJmrkDeAk0hujvhlLPiNKTA76JgJ16aW51o531SimF3FLIPIu1ry 19 | w3ZKD2Qeh3tBkxLoFlvkiCykFaocafm3ZzlcgA/TlLs1N82aoJSETVJEjYF4wV5k 20 | xrHket5dL0DHTGzf6tp47d4E3FAxYJ0UCXLG6o11KTDWbJE7oJ0aquiZaJiQ3W3a 21 | U+yG1oZj+Ag7avaZl1Vbv3TIHwJOlZKxEp2zF4VQbNAmxISuPusal1T7djbKmA4n 22 | psotbolh2FaP7Twb3GYNM6iqQ6dlykcKAw4vPAlwboYhzTQXe4Z9Y+d1SfQ5xmAv 23 | Sol1JRUV7ol3xMX9WDj9I3XWK+OA0Ph5flec/fqHLjWxnQbGEPkCggEBAPBcHBGu 24 | e0DpzuB+8Wj1umU3PEgMGcLH9YyQWS1NTQTNa5EQxhCCgxSlTDm0mnQ+Qq2cTtOn 25 | sdoSMmEJDghPcG8NGNesHS0AuDciaAhojUK2zzopGv7FhnNMbe3/BlqnZI61hwoZ 26 | mSCUZQRacaLNyJGH7vQFdtYqHUS1LHBBxSmR6syRfgKVTuGqCONExLg6cnaHbW7s 27 | isANA3/EQUsqkYYDWMAAciLz1HGhnVc/5m2VptI8AxT3RBGEvfTkHjXd07MWqFnw 28 | qe0vl41SOTcbUpt4pnz0dX9X4LGMcpQ6ChuFQsaMkoz0qdbphmbst0vxTSpSQDEy 29 | nwaw8oCL1cK0H0MCggEBAOCFcRLE08JVdY0pSLnoSPnosY9cgo8oFMgJWq8p7oto 30 | ImZaojolyVCO+yj4FkBnV4T/RjyW0gg6nEj/ihmzb0u/zxV4Epo9msWRLag2nbt/ 31 | WFZ0isNJSBEoPQSCG34FsNHeGIJbUYRR1jj8hXPxM89/cwNrteee/w3pF4tEMbIZ 32 | 3tMYII1TsCH4ieQAp7tVkDF+mhSyo+XskH8g+riwqZSDPJtBey58mODctZLnRXRT 33 | azpvEWf54giMy2iUTnSc3jO4IpNnWsKF4/we813/vkxWN2+QPGM8C5zfVEPyZ3rO 34 | eOXveOd+kil1uMz/z9n2g1ZsxxOmdH5LsCdcImJDAasCggEBAIjOhJNz0meSLNQO 35 | rO1m3974X3FKoecB1TtadceZNftDyLPa7kE7Z8x6gTZfG4KKZX1XeG50BoDu1onw 36 | k3IbdQ1gUQGAz2JsBG4tQTV3/N86Gh0qhFj6qJo7qF5MR5uVp2Cq5d/TzhqDHDQs 37 | Hn3hzwU2b8Wozoj7k4kl7dM/PC97BD/HmAd0YF+FXmWtIKMTcU8RqjH2pMrHHXS9 38 | icR0yDuU8BDosA5A5mx+5oVgs5EwGrGSwtZOHwoxmcUniiJyzioi/VOj7bQ44HPp 39 | lvNMs+oV8/0vTylaJWQpYpYHqvUbFnTYUhm0sG7IoF044uNwxtEN28ek3mr6kCym 40 | atbVmu0CggEBAIkAJA0l2Wk9qGsog94c5VrJKH+oHWqpNHUTcChuV8btFgCK0W7V 41 | 28+yT4OiTkGiTX80HXGfPi4TRYYtl+Ey4njAY+ZfzEodyTFA8zEvknP0sryehIXB 42 | U55UhVcY5Rmy80A8W4w/mLA7F5LSU8R5q/mzdUTjFq5tEIk2cE1koUZiDtuUX1id 43 | dl5kQA/GbpMbFM9+xxpWHziPb2SDhTnpYrDim7rI7BdjpA2h35HyWSkwNcAEQgTG 44 | L6yz7PK1fGIfzl6Uv1Revrzv4jvXzvzOrxn5if4jbxXGb/ebNtn3Mjl3f8IerBHl 45 | 4940nT1J41TG3UGBQsC002S1XpnF2J1I8d0CggEAMc/qyK6s3yHJHllbsq3SweZE 46 | 0+HBMqTo5v2Y2BZvXPdrmUsXFr93kWCihDZYvWU2BVLBXunWYpse1oXSAPJy0wYy 47 | H+F8fFvcPWsdnFamvqPOW+Kva9EvmsrdPqAikXfCRxDpW8JThDHMMUNpKmBge4hA 48 | 8RJoODOzSpwzCeQBTjsq333RivjRYxLzE6sboC6BATlafPhyzOVaKwXL+VLQG/av 49 | KS0Qvumrt5UXQAmV53PqQayEco+pY6QMjFBL6JyN1A0m/R49Lh6ftN7LUYTkQKP+ 50 | 1zvOEpglfd/sKUwPlw/LM8z3A7aF56EK6nHirwpHCpsIbhjk59b59gmXaKDVfg== 51 | -----END RSA PRIVATE KEY----- 52 | -------------------------------------------------------------------------------- /certs/istiod-cluster2/ca-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIJKQIBAAKCAgEAoksdEGIeBIV3AQfT1A0excQIsiRLQNLhX9cV++huXdgjjwtg 3 | 85zHnObdHX9Zpd/98bwU/snM5rXSXP1xsrq1G/J5/lk/HRIfwRysyoAaPTvdysVv 4 | X+ogL/t75gbVzVqlELplc3cJZXgR6vlscKd65GHAamvx6KC3CFnkwYsNkW63cxG3 5 | Q8IznEe2SarHZ2Ru7KMcMghJldSTl32AOMxUR0Np9wBIGo1xNn/SG61qSsfYPQux 6 | iKWW5pZnnbbH89QHSAkoPeipRLdmVDYk/aj8kH/znqg3R0M9qgVRz/CQaLSom4nI 7 | /m48MGrArm8uKVoB2EdGDFapRn/XgTgblHaEsxJUxSIGaUIIGYh7lo7JpxUT9W3g 8 | L35du3gugEhp89OHmwPc0RQ4oWGRL8voJFFaKZDJ8uOjuGCRE37aO6GfMkeEYbde 9 | RZvtNzCxLlJGmgio48Ss9xVCGh7CoqkjxGWQpeiC5jgL1I+YTpk5UOYJ1wmMfQ4i 10 | F/WUQHyOwjzkluGSJJQLaL0XnyTq5qzoxRYYj7X5TEO1/A+L6pCcXwYMKnefYn1y 11 | jasKGVWcy4aS4ZbSM3Vor7KbQ4IeXLomq4zPxa+Qn/4XH162544QeauJcTaRbuHy 12 | tRZ7JNIKiXSF6EqDIhWXC4j5mtp4Ve9xTZrlj+BPFn0MUnpZ9HkifYF9xnsCAwEA 13 | AQKCAgAr/XgvTKkeSJ7tJJYCUFwa9vv0bWoIdCCqvb4zvdjMjx10VH0/CywAF4Ov 14 | zykZkRFgSL7YIRLtJjOTCQ+choc4wAzZKI+27Ya17XPYn8h8+JExuTprIScAWoZG 15 | 32tscjlzw1JkbcuaOWWB74G5N2xUIzroncHAcG+sT9F1tJ9E4GHRSugF8cnTfoym 16 | gyfxmoOGmN+3oA9yEWDAG0B6JMhjWJ6MWQMyT0x0nUjyP5skEe9G/LhudZPlhLcp 17 | RLYGHV6r4++IeFwJSDzwboywRPHQqR37z1TMeClqwG5gkrBR8UYSgtJ8RJ0D8quv 18 | nGtCwibl3Mvb5FGVzmk3mWHAaC+ne6ViVaATKAO1UXPvzQOfEz0HuOl+cOOzWPhW 19 | dmlGKCPHd1wXb3d8NDWp21iA3jzPYP1s/rbW2b5IKXsWO/vKiLDryjAdlxCqD1dt 20 | zFztjeWbUlPY+Kxr4aUM0BbuiWjd/hiydL66HVdipTWcz8ogiA2xAksms7m0qS+o 21 | rox71kPWsaDsZjt16kiClVv+AkCLSHTewLcw9pWDP0UmNg5jW91aSpKt9Jq2QGBM 22 | znc2uQCZVSGNC6SOiskbTl9dNZV41bRhg/4uwfuh7wIzCCZVCldFy/SuYgTM8f+V 23 | cVNgwKciWXehhLVHeZ2Ha9AxfAVilU7QbzphB3oJMQZVurcyYQKCAQEA1EG1oxqk 24 | uZVfYY6uwTpDfjgMu4r4hoJQIu7yRwtaqCs9gEMZltsLhI8txCYsHKEXyPo/cwgN 25 | lHcjpnyRNbG5wl2MfJ24I282wuNRZ8HwVFwrW8gexNR3bX/r4ts9/bBZkZ1EQS01 26 | iq9EoIPyzvATs4yiYz3eIDzgV73f7Df43e8+/IhL9wS5Ap4M63uV+TZXiKBgwXTe 27 | n0bnKgRAwdtoLArqf/Nlv6tkVMw+NUarT6/it7/VXuqyiPx06i1ip/JdNN+aR8mI 28 | qlSZcceg0h1DjtskyUNKNUP6RDH+6VajBKuQxGx9CaSNQtOOLSSk5uiBQuhaLZ69 29 | f3eOeA0vs51JNQKCAQEAw71t/VvRVC5IoglOZZPTjTsYZf5pQfURVwovFSU70oCh 30 | JMgF1c7cp8ZfoXZHbYlQ/aPOAxXoswJys7b2H1inUhYb6iqQeuF67HxWQtkkcl3D 31 | /00E3bH+fZj4/eoB7vI7+7jVtV5DTjZ0uIvVkUPWydVMDgm8/b6N0Hoo1yR72VRt 32 | ujhCqI/QFq29IwoaGQrWOXNVJg1w8KqOizFfwx2K+0VKn/upK0nMa4krvjAt+VLR 33 | jUEPoYtpYXlwCMXfKPZVWmSYwh/k+9Q2UqQ9+1sKbK3t0YQXt5uZIkX1diHsuuuG 34 | 7q47T61rdC1/oEtuBIjO0i8GlbbJd7LU+9gpL0h27wKCAQBE1tbZAkAgbGCV3Fez 35 | FXlkSztd69F0lnj1C3gKMJWDaxq0KY74DSysHl+ieRrfYiO7q+W+IgN9fjJSwZ26 36 | w1xSvFJe7CwXWe9xv5XcR9rxET+CseHAxoPBQLa5SY/OYk56Wn4TgV0XEIb6ZDDw 37 | io5pMhhMhXkwDW5ZJpykGPcey4QrFO1GPQLf5XCdQuS+AbDb/9/BfmzhTXaVevGh 38 | rc4YUqYBP2hlhGmy0tbuInBXFN076PyDnyyuHuqwNG4FuCYgitCXrbYkP/HQJAV1 39 | f8Y0Y8CHgcpkghp92ZUqCk4uqpH2EpVu9i5WWRSIcZUFyqx5jbAJka011Qmgx+4L 40 | m9xtAoIBAQCunvXayujKMqg1dhvsXp6iJhA0HW0FnH2lqr4qHRdrSbl4uMEL5wnO 41 | 2xhBUOWUAKayQEnvUsJPwGVXkmeru0k53+NzWhmepj0lcB78b/8l0CSkQ6+Nn9cr 42 | cSbgTrz+0DdW76QnszpUMhya7pTOjTi2woShGWry6+ZUEEcS98dNMRbaxIojGnlH 43 | YiOTeNWjdZl7kzppQiB5c47K+nc198sfMsfKRZa7uZCWdr8BYrYA8TNk0qABO//9 44 | J3sdOHlHb8rhY1EsDYwYZU85FrD85lE8d0XsXe1SrYtFmifLBaTNdIThtanQASQV 45 | dumetOwnO21W8QDs2y6MjIuZSVQkjH8dAoIBAQDHlk/9GQzJFbOcUc6auW5zy13V 46 | iC5ATsaK4p3TzVvSADGHpXpbW9wIcbgVJ9/I6onp998rSaToNrFEaqy9SxgoAfy7 47 | JwNh7dbCYcSnshZayXHOMla91/N5KISKPbSJ1WJtNLFsvviir0Nzch6CMGEHhHyh 48 | bF/2UgNIqDZQIIYjbQnNLzs/27kBFWtRZDJ4muSIYlgmrVGbiADr0rsuU8xQOHA+ 49 | 3HysdxPrNd5ozKz2VYbnIMSdeH4XaTJXaJnnRCUI1pIgvWdS40VL+u21c81u7Wfx 50 | F9RULHS3/OJUs5bEJnFdINNXDc6qlVlDo20gj34pkQFUpbK/ZXLncC8lLNUA 51 | -----END RSA PRIVATE KEY----- 52 | -------------------------------------------------------------------------------- /certs/istiod-cluster1/ca-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIJKwIBAAKCAgEA0de2Lr+DhI0HlEcl6uDrJonpUttReh57ntNNLA4AH+7lb6Le 3 | xQtw+byDQwlv4zId8yJ3nN5VntX5RLAlCAyOR1EPIkCYt2vnsK2lrp2PzJdETwji 4 | sDrBFmQHL3pl9iEU9fNru5+3ViPQEtCjyQsWEiuJHO5+ZWsRz7AeuN4Ih4k41hah 5 | DRw9kNJTHngxxRoGAffsYQbuj6e8GLH0sBWp+D7SN7UBcoVFQr/Ui0fa66V+4ASG 6 | PVvijgTw0jRL1t7e0VguGX491M0gUUXf1TWfPqezct2bQTAb8+gwe2zfYpXVrcGE 7 | MSZmk7oBs+AJQlsq61eorKSX8FeOp+/Rz6/FN77bV51fqZ/tQiF4jJ7ph2lTz6up 8 | X/nO47N+QRsMRapEHsXReY0W3VS/WthbKhkNXvQw5MrZ4xg6QSVgRA4asU23ZJ1K 9 | uUKgT2XsA/hL5L13kg8aa64y9azKSc2VHQe/N87MIhvzE1UD+Vn4928p9Oebq6+E 10 | iKBoAiUUG4OgssGOrL1YxU6X03yVwCFBAJdCfx+wjOE55MZonXxafbL28yYNPEjW 11 | YiQZNrWuDnePCb5kS1XIoG7DZ7ta+WNutE+59pIyG6ECPZ7xJLYBquTa86hyKz59 12 | VdYVqAUYj+TYF81U3MWJCf1LSWEbe2Gg2Giy3dgaOCwifwXsFHn9WcSGPQkCAwEA 13 | AQKCAgEAwDdYKnpDfqewyaJimURuIl8x2zQK7lH96v6jMjeg5Z9vi1MlvFk+o4SK 14 | uF1soDDIPm7UIl2HEHfwXXr8cOMPcURPGJETUvEEylJF8i1iC4aEi+EXxVYMiPYX 15 | nuX/f/XNvX28saEbz0v+zT1QylfdX8eBUX8lSMFLD3PEsJKyPXT1GyafX+L+giom 16 | +UIgVOwBlMwFOtueqvh61CQufx1ZFIx3A5BKQxzQ1NPjXbH0VubB0XJThOEmJfFg 17 | pyxATBLbB+g+UhvRh5xefhQDdMoplLsJJa7ZCF2JPWLzBhw0g5m8oe0hqeQDEk7Q 18 | QHR4BtB8ABfL6lja1M1fX3XOOvBHNaB3Si5NVWVpYbuvni26NJ2YhytdINUDdfmd 19 | vsMB6PE3LJI2R66tWqlbH25bTf906FBJHAS19QDYqI3IW1j13ePrUZJy+pJL/olr 20 | acfm9LvnO/ToLebnhJllJzqD/Tt+j+LPwMd2/j5ZvTlJuU/OPDc2kU2yEMuCWzza 21 | pMeXb/8yiy8Hn7triw/t303pZDyP0DyKPn2i1bH1kyi4191emiamyHKgPc++Cxt8 22 | erSJC7tnwQqdsbz8DOhmsDLdLLbQuHVwN2oZDGuRoov70UTI97oHE8FIWSHy3m43 23 | 9VRffnBrtn3uQFyzpa2emhYzHLckAu1d5iyM5mIENX9J386yKgECggEBAOqvqsFc 24 | 7Gslv2PIqu5DzqEZZXYyHwAv9XOwrAEos9orxlfjE4ZA3yc9Txy03OgP8L96CTUG 25 | A6EF8Out6vQbg80oPvnXbZiTZFNf9v9DDvNn/UrnMGF8xtWlB4P2pZlKhS2dlApB 26 | Sper1LgxW2jYJbBJaCyvHtCRLYuXfr+xlzqwjgx4C8W79LjJ5bxnuu+dEvCMEQz3 27 | RxM5Eozwd7PghuMexM6SFC7Bqezjszfk1j6LlKppbEC3OqrKJgCXZbOh5R818Ga7 28 | nxo1iWkwB4+N1CEbB0SsWTeRaKsRIslvZ23gBcH0/9cf3fDPk51HV8vWqLhRB4Ua 29 | oI0xk5dSphH1bZMCggEBAOTmcb+G0S+ZW0hByLqkNfORDAjTLRxmY54mUHVQjPSH 30 | kfnKiRNv4WyYqSsGHMUseetcVPnpu8CP1pyO90Dzeyy7rZANtqB4YJwxftXBnfb5 31 | PH4tn/F28+Kz/nfU0CIOTceHYB6OjY+qCc32m+pzDfb34/hywj+nuQmzU3n9D/e1 32 | ruxLX7sHPKtDdsuz8OMxpkN/qRm2hmm4zNpZGY1R9LMZHU4nKxe/axsuJqOJuPBX 33 | 6PHtaUkk+DxJNyqP8KO/Ks33nGCwAdeSm7g4Z4+YMPucIXvhP9mwdYWZ1U9ytPHV 34 | 1XjHFUrKy6NQgxta7DyEFEytiqv/mcSxH7XpEXpEbHMCggEBALdrxmRMEQcJQJVn 35 | X5jK7DLi23bOY4ZM9WSPH0/klPSeI+3KrxbNmttbQnqoLMM+uiWc5pdHdQyjzREW 36 | I7zXyGJO4zF3mtOV1uKG7U/CBGxeyQuCt0BqOij+S2prGjA9mur07qA5OWhjRuUS 37 | xmOiE4q9RKsvz0CpRtSD+e8uiIi5NrwuEt1fMjw+p8xhsivWMthIUIc2uJkgkQwQ 38 | YS33/NSD1sOwTg/hEsLvj8HOm1fU1cN+k7ncuwCC78KkkTsc/CsxiAty9j2QvC22 39 | +SHMco/RRRP6M9yHTCvvP6X56PdqEHXv2wkygc7VHYTeHpNU2Rb9VYhFMFhJ+BVb 40 | 5inBDPsCggEBAKbghn8OZ8Ve9ZipNRE1FIw869wnMRUqZGfxIOlWT10a1UaZ7PN5 41 | tou4hGR0cVcihMQdLWqBh7rsYpcC96mnmN5U+UUzajh1amGVCBYIsQRUUlDfLGMa 42 | yNU3SkbMpOyfJv9XZ7D/Vp8tZTZ+Gs+DD+REdzQzXgCQY6t5zFr8Lr71+tAUZ3dv 43 | 4EAv0BTUW8MW+FLvaDXxxu6epuJs4N8Rp+dGYQIQNi97AzfunobNqkG2pYJzBjYo 44 | OL2i1xA1nkeS4D8GzUAEMWObY+GbZYzfdJ6LBjJNVoJ7TkKXk1b3lolUzuvdoF1F 45 | mc63rM2trNq1pCL+xkF89/rY8vhpMa/E4JcCggEBAMxLBkgUOAb007szuFyl6r5S 46 | mSdLUUiqJZJILjzmVL6WZARAgPGZQiAUd5a95wnBTxgnm5b4rTD8q8l0cSotUS8W 47 | Yd8PewxAH9p+9cjEwq4ddHpxns68h+6vftaTb00ZF645l1EGng3Tkmd9sS1Z5XqK 48 | XMMrSkeIzEuI9BUR8hPTxBXlVKMjSe4iwC9VcS8Pxl454nmDfGiJmH6xIGupmntI 49 | 3RERF+EsxAyVy902ij0whq66wAHNWPMbgpPKDvOINTN91vIah/QNxPhXhBpbfXDe 50 | hBns6fArR5xeuwR5bvuSgkdvUc5P6N2DvSK8dpFHcdWNleaZbv4q+V0dwoWSANM= 51 | -----END RSA PRIVATE KEY----- 52 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | vault: 5 | image: vault:1.11.5 6 | container_name: vault 7 | cap_add: 8 | - IPC_LOCK 9 | # env_file: 10 | # - .env 11 | environment: 12 | VAULT_ADDR: http://0.0.0.0:8200 13 | VAULT_DEV_ROOT_TOKEN_ID: root 14 | VAULT_LOCAL_CONFIG: '{ "ui": true }' 15 | VAULT_LOG_LEVEL: debug 16 | volumes: 17 | - ./certs:/certs # This is just so that we can mount the actual PEM encoded certs/keys 18 | ports: 19 | - 8200:8200 # Vault Admin UI 20 | networks: 21 | - demo 22 | 23 | k3s-server-1: 24 | image: "rancher/k3s:v1.24.7-k3s1" # https://hub.docker.com/r/rancher/k3s/tags 25 | container_name: k3s-server-1 26 | command: server --https-listen-port 16443 --disable traefik --disable metrics-server 27 | tmpfs: 28 | - /run 29 | - /var/run 30 | ulimits: 31 | nproc: 65535 32 | nofile: 33 | soft: 65535 34 | hard: 65535 35 | privileged: true 36 | restart: always 37 | environment: 38 | - K3S_TOKEN=0123456789 39 | - K3S_KUBECONFIG_OUTPUT=/output/kubecfg1.yml 40 | - K3S_KUBECONFIG_MODE=666 41 | volumes: 42 | - k3s-server-1:/var/lib/rancher/k3s 43 | - .:/output # This is just so that we get the kubecfg1.yml file out 44 | ports: 45 | - 16443:16443 # Kubernetes API Server 46 | networks: 47 | - demo 48 | 49 | k3s-agent-1a: 50 | image: "rancher/k3s:v1.24.7-k3s1" 51 | container_name: k3s-agent-1a 52 | tmpfs: 53 | - /run 54 | - /var/run 55 | ulimits: 56 | nproc: 65535 57 | nofile: 58 | soft: 65535 59 | hard: 65535 60 | privileged: true 61 | restart: always 62 | environment: 63 | - K3S_URL=https://k3s-server-1:16443 64 | - K3S_TOKEN=0123456789 65 | networks: 66 | - demo 67 | depends_on: 68 | - k3s-server-1 69 | 70 | k3s-server-2: 71 | image: "rancher/k3s:v1.24.7-k3s1" # https://hub.docker.com/r/rancher/k3s/tags 72 | container_name: k3s-server-2 73 | command: server --https-listen-port 26443 --disable traefik --disable metrics-server 74 | tmpfs: 75 | - /run 76 | - /var/run 77 | ulimits: 78 | nproc: 65535 79 | nofile: 80 | soft: 65535 81 | hard: 65535 82 | privileged: true 83 | restart: always 84 | environment: 85 | - K3S_TOKEN=9876543210 86 | - K3S_KUBECONFIG_OUTPUT=/output/kubecfg2.yml 87 | - K3S_KUBECONFIG_MODE=666 88 | volumes: 89 | - k3s-server-2:/var/lib/rancher/k3s 90 | - .:/output # This is just so that we get the kubecfg2.yml file out 91 | ports: 92 | - 26443:26443 # Kubernetes API Server 93 | networks: 94 | - demo 95 | 96 | k3s-agent-2a: 97 | image: "rancher/k3s:v1.24.7-k3s1" 98 | container_name: k3s-agent-2a 99 | tmpfs: 100 | - /run 101 | - /var/run 102 | ulimits: 103 | nproc: 65535 104 | nofile: 105 | soft: 65535 106 | hard: 65535 107 | privileged: true 108 | restart: always 109 | environment: 110 | - K3S_URL=https://k3s-server-2:26443 111 | - K3S_TOKEN=9876543210 112 | networks: 113 | - demo 114 | depends_on: 115 | - k3s-server-2 116 | 117 | volumes: 118 | k3s-server-1: 119 | name: k3s-server-1 120 | k3s-server-2: 121 | name: k3s-server-2 122 | 123 | networks: 124 | demo: 125 | name: demo -------------------------------------------------------------------------------- /certs-gen/Makefile.selfsigned.mk: -------------------------------------------------------------------------------- 1 | .SUFFIXES: .csr .pem .conf 2 | .PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem 3 | .PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem 4 | .SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf 5 | 6 | .DEFAULT_GOAL := help 7 | 8 | SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) 9 | 10 | include $(SELF_DIR)common.mk 11 | 12 | #------------------------------------------------------------------------ 13 | ##help: print this help message 14 | .PHONY: help 15 | 16 | help: 17 | @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' 18 | 19 | #------------------------------------------------------------------------ 20 | ##root-ca: generate root CA files (key and certificate) in current directory. 21 | .PHONY: root-ca 22 | 23 | root-ca: root-key.pem root-cert.pem 24 | 25 | root-cert.pem: root-cert.csr root-key.pem 26 | @echo "generating $@" 27 | @openssl x509 -req -days $(ROOTCA_DAYS) -signkey root-key.pem \ 28 | -extensions req_ext -extfile root-ca.conf \ 29 | -in $< -out $@ 30 | 31 | root-cert.csr: root-key.pem root-ca.conf 32 | @echo "generating $@" 33 | @openssl req -new -key $< -config root-ca.conf -out $@ 34 | 35 | root-key.pem: 36 | @echo "generating $@" 37 | @openssl genrsa -out $@ 4096 38 | #------------------------------------------------------------------------ 39 | ##-cacerts: generate self signed intermediate certificates for and store them under directory. 40 | .PHONY: %-cacerts 41 | 42 | %-cacerts: %/cert-chain.pem 43 | @echo "done" 44 | 45 | %/cert-chain.pem: %/ca-cert.pem root-cert.pem 46 | @echo "generating $@" 47 | @cat $^ > $@ 48 | @echo "Intermediate inputs stored in $(dir $<)" 49 | @cp root-cert.pem $(dir $<) 50 | 51 | 52 | %/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem 53 | @echo "generating $@" 54 | @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ 55 | -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ 56 | -extensions req_ext -extfile $(dir $<)/intermediate.conf \ 57 | -in $< -out $@ 58 | 59 | %/cluster-ca.csr: L=$(dir $@) 60 | %/cluster-ca.csr: %/ca-key.pem %/intermediate.conf 61 | @echo "generating $@" 62 | @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ 63 | 64 | %/ca-key.pem: 65 | @echo "generating $@" 66 | @mkdir -p $(dir $@) 67 | @openssl genrsa -out $@ 4096 68 | 69 | #------------------------------------------------------------------------ 70 | ##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. 71 | .PHONY: %-certs 72 | 73 | %-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem 74 | @echo "done" 75 | 76 | %/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem 77 | @echo "generating $@" 78 | @cat $^ > $@ 79 | @echo "Intermediate and workload certs stored in $(dir $<)" 80 | @cp root-cert.pem $(dir $@)/root-cert.pem 81 | 82 | 83 | %/workload-cert.pem: %/workload.csr 84 | @echo "generating $@" 85 | @openssl x509 -req -days $(WORKLOAD_DAYS) \ 86 | -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ 87 | -extensions req_ext -extfile $(dir $<)/workload.conf \ 88 | -in $< -out $@ 89 | 90 | %/workload.csr: L=$(dir $@) 91 | %/workload.csr: %/key.pem %/workload.conf 92 | @echo "generating $@" 93 | @openssl req -new -config $(L)/workload.conf -key $< -out $@ 94 | 95 | %/key.pem: 96 | @echo "generating $@" 97 | @mkdir -p $(dir $@) 98 | @openssl genrsa -out $@ 4096 99 | -------------------------------------------------------------------------------- /certs/README.md: -------------------------------------------------------------------------------- 1 | # Istio Certificate details 2 | 3 | Root Certificate. 4 | 5 | ```console 6 | openssl x509 -in root-cert.pem -text 7 | ``` 8 | 9 | ``` 10 | Certificate: 11 | Data: 12 | Version: 3 (0x2) 13 | Serial Number: 14 | 42:67:4a:6d:22:54:a7:28:31:64:ca:58:2e:99:cd:66:3e:6d:e4:de 15 | Signature Algorithm: sha256WithRSAEncryption 16 | Issuer: O = Istio, CN = Root CA 17 | Validity 18 | Not Before: Nov 17 13:00:39 2022 GMT 19 | Not After : Nov 14 13:00:39 2032 GMT 20 | Subject: O = Istio, CN = Root CA 21 | Subject Public Key Info: 22 | Public Key Algorithm: rsaEncryption 23 | Public-Key: (4096 bit) 24 | Modulus: 25 | 00:c4:80:6c:d7:04:0d:c0:4e:22:6c:be:4a:a2:45: 26 | ... 27 | df:57:95 28 | Exponent: 65537 (0x10001) 29 | X509v3 extensions: 30 | X509v3 Subject Key Identifier: 31 | 5C:0F:9A:96:63:65:D6:3D:8E:FE:04:87:8C:16:0B:66:84:6C:71:B3 32 | X509v3 Basic Constraints: critical 33 | CA:TRUE 34 | X509v3 Key Usage: critical 35 | Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign 36 | Signature Algorithm: sha256WithRSAEncryption 37 | Signature Value: 38 | 70:0b:b7:98:3b:66:b6:6a:4a:a2:ac:4c:ce:49:df:bb:cc:c4: 39 | ... 40 | b9:36:3e:f8:44:94:52:60 41 | -----BEGIN CERTIFICATE----- 42 | MIIFFDCCAvygAwIBAgIUQmdKbSJUpygxZMpYLpnNZj5t5N4wDQYJKoZIhvcNAQEL 43 | ... 44 | uTY++ESUUmA= 45 | -----END CERTIFICATE----- 46 | ``` 47 | 48 | 49 | Intermediate Certificate. 50 | 51 | ```console 52 | openssl x509 -in k3s-cluster1/ca-cert.pem -text 53 | ``` 54 | 55 | ``` 56 | Certificate: 57 | Data: 58 | Version: 3 (0x2) 59 | Serial Number: 60 | 5d:d1:d1:46:08:35:f5:91:e6:03:c0:aa:56:4d:80:28:4e:4e:79:b9 61 | Signature Algorithm: sha256WithRSAEncryption 62 | Issuer: O = Istio, CN = Root CA 63 | Validity 64 | Not Before: Nov 17 13:00:40 2022 GMT 65 | Not After : Nov 16 13:00:40 2024 GMT 66 | Subject: O = Istio, CN = Intermediate CA, L = k3s-cluster1 67 | Subject Public Key Info: 68 | Public Key Algorithm: rsaEncryption 69 | Public-Key: (4096 bit) 70 | Modulus: 71 | 00:d3:6f:bf:41:0e:69:94:65:d3:6c:66:c1:39:a9: 72 | ... 73 | 28:a7:d5 74 | Exponent: 65537 (0x10001) 75 | X509v3 extensions: 76 | X509v3 Subject Key Identifier: 77 | 01:CC:15:FE:F3:39:A9:C4:C7:A2:A4:E9:EF:F5:27:00:B4:C6:A6:0F 78 | X509v3 Basic Constraints: critical 79 | CA:TRUE, pathlen:0 80 | X509v3 Key Usage: critical 81 | Digital Signature, Non Repudiation, Key Encipherment, Certificate Sign 82 | X509v3 Subject Alternative Name: 83 | DNS:istiod.istio-system.svc 84 | X509v3 Authority Key Identifier: 85 | 5C:0F:9A:96:63:65:D6:3D:8E:FE:04:87:8C:16:0B:66:84:6C:71:B3 86 | Signature Algorithm: sha256WithRSAEncryption 87 | Signature Value: 88 | 36:a5:5d:a5:33:48:e6:00:ce:74:e7:0f:df:98:b3:38:67:09: 89 | ... 90 | 82:46:65:ce:ea:13:dd:f0 91 | -----BEGIN CERTIFICATE----- 92 | MIIFfTCCA2WgAwIBAgIUXdHRRgg19ZHmA8CqVk2AKE5OebkwDQYJKoZIhvcNAQEL 93 | ... 94 | EBFrT5QK4o5kgkZlzuoT3fA= 95 | -----END CERTIFICATE----- 96 | ``` 97 | 98 | > **REMARK:** Note the X509v3 Basic Constraint `CA:TRUE`, which is necessary so that `istiod` actually can generate workload certificates from this intermediate certificate. 99 | -------------------------------------------------------------------------------- /certs/istiod-cluster1/cert-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUjCCAzqgAwIBAgIJAN7fKYoUdoHWMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1NFoXDTI0 4 | MTExNjIyMDE1NFowRDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk 5 | aWF0ZSBDQTEYMBYGA1UEBwwPaXN0aW9kLWNsdXN0ZXIxMIICIjANBgkqhkiG9w0B 6 | AQEFAAOCAg8AMIICCgKCAgEA0de2Lr+DhI0HlEcl6uDrJonpUttReh57ntNNLA4A 7 | H+7lb6LexQtw+byDQwlv4zId8yJ3nN5VntX5RLAlCAyOR1EPIkCYt2vnsK2lrp2P 8 | zJdETwjisDrBFmQHL3pl9iEU9fNru5+3ViPQEtCjyQsWEiuJHO5+ZWsRz7AeuN4I 9 | h4k41hahDRw9kNJTHngxxRoGAffsYQbuj6e8GLH0sBWp+D7SN7UBcoVFQr/Ui0fa 10 | 66V+4ASGPVvijgTw0jRL1t7e0VguGX491M0gUUXf1TWfPqezct2bQTAb8+gwe2zf 11 | YpXVrcGEMSZmk7oBs+AJQlsq61eorKSX8FeOp+/Rz6/FN77bV51fqZ/tQiF4jJ7p 12 | h2lTz6upX/nO47N+QRsMRapEHsXReY0W3VS/WthbKhkNXvQw5MrZ4xg6QSVgRA4a 13 | sU23ZJ1KuUKgT2XsA/hL5L13kg8aa64y9azKSc2VHQe/N87MIhvzE1UD+Vn4928p 14 | 9Oebq6+EiKBoAiUUG4OgssGOrL1YxU6X03yVwCFBAJdCfx+wjOE55MZonXxafbL2 15 | 8yYNPEjWYiQZNrWuDnePCb5kS1XIoG7DZ7ta+WNutE+59pIyG6ECPZ7xJLYBquTa 16 | 86hyKz59VdYVqAUYj+TYF81U3MWJCf1LSWEbe2Gg2Giy3dgaOCwifwXsFHn9WcSG 17 | PQkCAwEAAaNpMGcwHQYDVR0OBBYEFIUXcQuj9KKILV23iNGtPOTUmphDMBIGA1Ud 18 | EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmCF2lzdGlv 19 | ZC5pc3Rpby1zeXN0ZW0uc3ZjMA0GCSqGSIb3DQEBCwUAA4ICAQC9Va6PpBpYji3A 20 | kscmFUjjR8Yi8HgCwLZgs6toy8RGMejM4ANsB22Kl/cYQx9YNODTTxd3GOqAPglB 21 | L2iqYP0+qJWU+h8u4n2Bgaz77DKmiIhKBhozeSUGltzFFK93zFwMhVEvlTOfwhgb 22 | 2xS1iAAAGFvPYeJSRNwfTz59mFmIYErbjWIl+3pxjen0YD5AOntW+SkpJBfz7jqf 23 | pvDEja1uP60kjSdqy4ppj6Dlo6/AwQpM2hbn1riD0MRcE56c0SNfuygfCpj/o2iu 24 | mmYHGPgoiN8MXM99GyJnQ3CZhl3MHlxZ2Uy7zln6h1OR8abLtyJjueu/7qbQi/+t 25 | Jg8B4jg3ofZ4+Te+b+nmiJ06FQ2VpQSigpGTQQbsfkEM9Nio5+TaULLXyaazizD6 26 | YG1uIgxT14zRLkAcc+asT941qobHbshcqabqJQ3jeIeMAENBSTwtaQaY4HupCqGz 27 | Ukca0gimyNa4U84CRzB6qkRA2Qu8mK4HggbzmzMLCIuCg2hALNw/HCZoN5lnT6ja 28 | biTqljc00xswAlxKfmNtyUFd/Obsm5kdMG1Fc/gDwqeQoauzs2lO/ZJa8+AulJ3f 29 | Py9b7HnuhVI513gfjC/rueZiLWiz9SHToCZ1OEBhQ0+Gn1X1fCcb2/npDHrQ3WUJ 30 | 1mNnbjvxR/Wi2cn30cQeb7BXEUCeWA== 31 | -----END CERTIFICATE----- 32 | -----BEGIN CERTIFICATE----- 33 | MIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 34 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy 35 | MTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 36 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw 37 | tQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV 38 | yMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+ 39 | 9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va 40 | inK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM 41 | fsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI 42 | IGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062 43 | B1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6 44 | /WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG 45 | /KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS 46 | v+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5 47 | OC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l 48 | WDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI 49 | hvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx 50 | qGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ 51 | ZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs 52 | YDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K 53 | Vsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd 54 | pFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP 55 | 4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR 56 | E49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U 57 | YpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ 58 | lUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU 59 | cO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6 60 | -----END CERTIFICATE----- 61 | -------------------------------------------------------------------------------- /certs/istiod-cluster2/cert-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIFUjCCAzqgAwIBAgIJAN7fKYoUdoHXMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 3 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1NVoXDTI0 4 | MTExNjIyMDE1NVowRDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk 5 | aWF0ZSBDQTEYMBYGA1UEBwwPaXN0aW9kLWNsdXN0ZXIyMIICIjANBgkqhkiG9w0B 6 | AQEFAAOCAg8AMIICCgKCAgEAoksdEGIeBIV3AQfT1A0excQIsiRLQNLhX9cV++hu 7 | Xdgjjwtg85zHnObdHX9Zpd/98bwU/snM5rXSXP1xsrq1G/J5/lk/HRIfwRysyoAa 8 | PTvdysVvX+ogL/t75gbVzVqlELplc3cJZXgR6vlscKd65GHAamvx6KC3CFnkwYsN 9 | kW63cxG3Q8IznEe2SarHZ2Ru7KMcMghJldSTl32AOMxUR0Np9wBIGo1xNn/SG61q 10 | SsfYPQuxiKWW5pZnnbbH89QHSAkoPeipRLdmVDYk/aj8kH/znqg3R0M9qgVRz/CQ 11 | aLSom4nI/m48MGrArm8uKVoB2EdGDFapRn/XgTgblHaEsxJUxSIGaUIIGYh7lo7J 12 | pxUT9W3gL35du3gugEhp89OHmwPc0RQ4oWGRL8voJFFaKZDJ8uOjuGCRE37aO6Gf 13 | MkeEYbdeRZvtNzCxLlJGmgio48Ss9xVCGh7CoqkjxGWQpeiC5jgL1I+YTpk5UOYJ 14 | 1wmMfQ4iF/WUQHyOwjzkluGSJJQLaL0XnyTq5qzoxRYYj7X5TEO1/A+L6pCcXwYM 15 | KnefYn1yjasKGVWcy4aS4ZbSM3Vor7KbQ4IeXLomq4zPxa+Qn/4XH162544QeauJ 16 | cTaRbuHytRZ7JNIKiXSF6EqDIhWXC4j5mtp4Ve9xTZrlj+BPFn0MUnpZ9HkifYF9 17 | xnsCAwEAAaNpMGcwHQYDVR0OBBYEFFRWmh8dkO0Tvy++maYsLhuRPhW+MBIGA1Ud 18 | EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmCF2lzdGlv 19 | ZC5pc3Rpby1zeXN0ZW0uc3ZjMA0GCSqGSIb3DQEBCwUAA4ICAQDOhvPHFP9DGg+O 20 | DpTLLtmVoCEEjCZiZwdnLSDqIivzRUO1PrzHepoMMMAyJwYeU9RfAy11a3giBLtP 21 | UgP4aEkLKxY6j9MaE/VHULTuHd0SNG4vGibdoCZNLDvhYvbXHqS7ZbUGBcsGGWpS 22 | dD2ym23vCT6Lx9oC8HLI492qOHP6zcUgSIiXsvObInYwZOifjxVPxkYbBo5IXKb8 23 | paqNwLMQTUjzpeROUTSA0YFhT7K1HRsGuGhT656j0zNfLQIwYb2dAYWQHg3qHOpd 24 | H/VJzWkpuCDMAimJ9sK7RS93TBxQlT+LLqrKHA5Ep7GmDypJIrlFaqxP/X8nBUmz 25 | /jsZ+p2bAXEsppB2lp/e09IC+nB9hGhFwtYQdFCzkOdTK+9+THIoNdZIHGXftTbX 26 | D7XBHQM8gbpwEWnhLl3BxWzRA0ce5zdadtliJzYWqAwW/yjz9mcmbYmBROE4NlUO 27 | hWLlrdNMYKanJ9QXfloQAbf5dBZ4pw8GOtKz/IEdIys1ebUPgzwZS78aHh4Hxf40 28 | 7hNw2RlVfz2Q8O5Ea44AkGDz81TxB8Zv+uL3nbFJgKH2mYBFg+LbvqW3gsGkfmOT 29 | S6zHL2EdiXavc9kd1udz4VZeyD6c2p3QLcG+Vyz+XYrER+E6hGdgdNEVL5lKXCts 30 | nAubT8cEdbYU7ngNAxuIvUh+2NfjUA== 31 | -----END CERTIFICATE----- 32 | -----BEGIN CERTIFICATE----- 33 | MIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV 34 | BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy 35 | MTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew 36 | ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw 37 | tQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV 38 | yMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+ 39 | 9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va 40 | inK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM 41 | fsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI 42 | IGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062 43 | B1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6 44 | /WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG 45 | /KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS 46 | v+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5 47 | OC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l 48 | WDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI 49 | hvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx 50 | qGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ 51 | ZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs 52 | YDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K 53 | Vsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd 54 | pFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP 55 | 4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR 56 | E49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U 57 | YpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ 58 | lUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU 59 | cO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6 60 | -----END CERTIFICATE----- 61 | -------------------------------------------------------------------------------- /certs-gen/common.mk: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------ 2 | # variables: root CA 3 | ROOTCA_DAYS ?= 3650 4 | ROOTCA_KEYSZ ?= 4096 5 | ROOTCA_ORG ?= Istio 6 | ROOTCA_CN ?= Root CA 7 | KUBECONFIG ?= $(HOME)/.kube/config 8 | ISTIO_NAMESPACE ?= istio-system 9 | # Additional variables are defined in root-ca.conf target below. 10 | 11 | #------------------------------------------------------------------------ 12 | # variables: intermediate CA 13 | INTERMEDIATE_DAYS ?= 730 14 | INTERMEDIATE_KEYSZ ?= 4096 15 | INTERMEDIATE_ORG ?= Istio 16 | INTERMEDIATE_CN ?= Intermediate CA 17 | INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc 18 | # Additional variables are defined in %/intermediate.conf target below. 19 | 20 | #------------------------------------------------------------------------ 21 | # variables: workload certs: eg VM 22 | WORKLOAD_DAYS ?= 1 23 | SERVICE_ACCOUNT ?= default 24 | WORKLOAD_CN ?= Workload 25 | 26 | #------------------------------------------------------------------------ 27 | # variables: files to clean 28 | FILES_TO_CLEAN+=k8s-root-cert.pem \ 29 | k8s-root-cert.srl \ 30 | k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem 31 | #------------------------------------------------------------------------ 32 | # clean 33 | .PHONY: clean 34 | 35 | clean: ## Cleans all the intermediate files and folders previously generated. 36 | @rm -f $(FILES_TO_CLEAN) 37 | 38 | root-ca.conf: 39 | @echo "[ req ]" > $@ 40 | @echo "encrypt_key = no" >> $@ 41 | @echo "prompt = no" >> $@ 42 | @echo "utf8 = yes" >> $@ 43 | @echo "default_md = sha256" >> $@ 44 | @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ 45 | @echo "req_extensions = req_ext" >> $@ 46 | @echo "x509_extensions = req_ext" >> $@ 47 | @echo "distinguished_name = req_dn" >> $@ 48 | @echo "[ req_ext ]" >> $@ 49 | @echo "subjectKeyIdentifier = hash" >> $@ 50 | @echo "basicConstraints = critical, CA:true" >> $@ 51 | @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ 52 | @echo "[ req_dn ]" >> $@ 53 | @echo "O = $(ROOTCA_ORG)" >> $@ 54 | @echo "CN = $(ROOTCA_CN)" >> $@ 55 | 56 | %/intermediate.conf: L=$(dir $@) 57 | %/intermediate.conf: 58 | @echo "[ req ]" > $@ 59 | @echo "encrypt_key = no" >> $@ 60 | @echo "prompt = no" >> $@ 61 | @echo "utf8 = yes" >> $@ 62 | @echo "default_md = sha256" >> $@ 63 | @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ 64 | @echo "req_extensions = req_ext" >> $@ 65 | @echo "x509_extensions = req_ext" >> $@ 66 | @echo "distinguished_name = req_dn" >> $@ 67 | @echo "[ req_ext ]" >> $@ 68 | @echo "subjectKeyIdentifier = hash" >> $@ 69 | @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ 70 | @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ 71 | @echo "subjectAltName=@san" >> $@ 72 | @echo "[ san ]" >> $@ 73 | @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ 74 | @echo "[ req_dn ]" >> $@ 75 | @echo "O = $(INTERMEDIATE_ORG)" >> $@ 76 | @echo "CN = $(INTERMEDIATE_CN)" >> $@ 77 | @echo "L = $(L:/=)" >> $@ 78 | 79 | %/workload.conf: L=$(dir $@) 80 | %/workload.conf: 81 | @echo "[ req ]" > $@ 82 | @echo "encrypt_key = no" >> $@ 83 | @echo "prompt = no" >> $@ 84 | @echo "utf8 = yes" >> $@ 85 | @echo "default_md = sha256" >> $@ 86 | @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ 87 | @echo "req_extensions = req_ext" >> $@ 88 | @echo "x509_extensions = req_ext" >> $@ 89 | @echo "distinguished_name = req_dn" >> $@ 90 | @echo "[ req_ext ]" >> $@ 91 | @echo "subjectKeyIdentifier = hash" >> $@ 92 | @echo "basicConstraints = critical, CA:false" >> $@ 93 | @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ 94 | @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ 95 | @echo "subjectAltName=@san" >> $@ 96 | @echo "[ san ]" >> $@ 97 | @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ 98 | @echo "[ req_dn ]" >> $@ 99 | @echo "O = $(INTERMEDIATE_ORG)" >> $@ 100 | @echo "CN = $(WORKLOAD_CN)" >> $@ 101 | @echo "L = $(L:/=)" >> $@ 102 | -------------------------------------------------------------------------------- /certs-gen/Makefile.k8s.mk: -------------------------------------------------------------------------------- 1 | .SUFFIXES: .csr .pem .conf 2 | .PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem 3 | .PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem 4 | .SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf 5 | 6 | .DEFAULT_GOAL := help 7 | 8 | SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) 9 | 10 | include $(SELF_DIR)common.mk 11 | 12 | #------------------------------------------------------------------------ 13 | ##help: print this help message 14 | .PHONY: help 15 | 16 | help: 17 | @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' 18 | 19 | #------------------------------------------------------------------------ 20 | ##fetch-root-ca: fetch root CA and key from a k8s cluster. 21 | .PHONY: fetch-root-ca 22 | rawcluster := $(shell kubectl config current-context) 23 | cluster := $(subst /,-,$(rawcluster)) 24 | pwd := $(shell pwd) 25 | export KUBECONFIG 26 | 27 | fetch-root-ca: 28 | @echo "fetching root ca from k8s cluster: "$(cluster)"" 29 | @mkdir -p $(pwd)/$(cluster) 30 | @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?) 31 | ifeq ($(res), 1) 32 | @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem 33 | @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem 34 | else 35 | @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem 36 | @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem 37 | endif 38 | 39 | k8s-root-cert.pem: 40 | @cat $(cluster)/k8s-root-cert.pem > $@ 41 | 42 | k8s-root-key.pem: 43 | @cat $(cluster)/k8s-root-key.pem > $@ 44 | #------------------------------------------------------------------------ 45 | ##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory 46 | .PHONY: %-cacerts 47 | 48 | %-cacerts: %/cert-chain.pem 49 | @echo "done" 50 | 51 | %/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem 52 | @echo "generating $@" 53 | @cat $^ > $@ 54 | @echo "Intermediate certs stored in $(dir $<)" 55 | @cp k8s-root-cert.pem $(dir $<)/root-cert.pem 56 | 57 | %/ca-cert.pem: %/cluster-ca.csr k8s-root-key.pem k8s-root-cert.pem 58 | @echo "generating $@" 59 | @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ 60 | -CA k8s-root-cert.pem -CAkey k8s-root-key.pem -CAcreateserial\ 61 | -extensions req_ext -extfile $(dir $<)/intermediate.conf \ 62 | -in $< -out $@ 63 | 64 | %/cluster-ca.csr: L=$(dir $@) 65 | %/cluster-ca.csr: %/ca-key.pem %/intermediate.conf 66 | @echo "generating $@" 67 | @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ 68 | 69 | %/ca-key.pem: fetch-root-ca 70 | @echo "generating $@" 71 | @mkdir -p $(dir $@) 72 | @openssl genrsa -out $@ 4096 73 | 74 | #------------------------------------------------------------------------ 75 | ##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. 76 | .PHONY: %-certs 77 | 78 | %-certs: fetch-root-ca %/workload-cert-chain.pem k8s-root-cert.pem 79 | @echo "done" 80 | 81 | %/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem 82 | @echo "generating $@" 83 | @cat $^ > $@ 84 | @echo "Intermediate and workload certs stored in $(dir $<)" 85 | @cp k8s-root-cert.pem $(dir $@)/root-cert.pem 86 | 87 | %/workload-cert.pem: %/workload.csr 88 | @echo "generating $@" 89 | @openssl x509 -req -days $(WORKLOAD_DAYS) \ 90 | -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ 91 | -extensions req_ext -extfile $(dir $<)/workload.conf \ 92 | -in $< -out $@ 93 | 94 | %/workload.csr: L=$(dir $@) 95 | %/workload.csr: %/key.pem %/workload.conf 96 | @echo "generating $@" 97 | @openssl req -new -config $(L)/workload.conf -key $< -out $@ 98 | 99 | %/key.pem: 100 | @echo "generating $@" 101 | @mkdir -p $(dir $@) 102 | @openssl genrsa -out $@ 4096 -------------------------------------------------------------------------------- /output/README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes API Cert and istiod JWT token 2 | 3 | 4 | Content of the kubernetes API certificates. 5 | 6 | ```console 7 | openssl x509 -in k8sapi-cert1.pem -text 8 | ``` 9 | 10 | ``` 11 | Certificate: 12 | Data: 13 | Version: 3 (0x2) 14 | Serial Number: 0 (0x0) 15 | Signature Algorithm: ecdsa-with-SHA256 16 | Issuer: CN=k3s-server-ca@1668718694 17 | Validity 18 | Not Before: Nov 17 20:58:14 2022 GMT 19 | Not After : Nov 14 20:58:14 2032 GMT 20 | Subject: CN=k3s-server-ca@1668718694 21 | Subject Public Key Info: 22 | Public Key Algorithm: id-ecPublicKey 23 | Public-Key: (256 bit) 24 | pub: 25 | 04:79:3a:e6:71:bb:3b:82:bb:4a:42:c2:55:30:56: 26 | ba:42:cc:02:97:79:13:1d:50:3e:d5:d8:fd:e1:5d: 27 | c8:23:3c:78:1b:40:11:98:56:5c:03:4a:1c:bc:be: 28 | 96:89:02:b1:9b:d4:72:c6:0b:ad:2a:02:44:34:3b: 29 | 96:a1:96:e5:ee 30 | ASN1 OID: prime256v1 31 | NIST CURVE: P-256 32 | X509v3 extensions: 33 | X509v3 Key Usage: critical 34 | Digital Signature, Key Encipherment, Certificate Sign 35 | X509v3 Basic Constraints: critical 36 | CA:TRUE 37 | X509v3 Subject Key Identifier: 38 | 98:CC:58:4D:4B:A0:61:A3:73:4C:86:84:82:F9:5F:D3:95:5E:74:F3 39 | Signature Algorithm: ecdsa-with-SHA256 40 | 30:46:02:21:00:b7:8a:49:a7:b9:e1:a0:1d:7b:ad:ec:37:ae: 41 | a6:e3:0f:b1:1f:7c:2d:60:02:52:db:32:ed:b0:48:ca:35:d1: 42 | 36:02:21:00:f5:dc:1c:8c:11:1e:b1:3a:40:af:0e:80:be:ae: 43 | 05:36:0b:03:1c:08:3d:be:24:7d:84:75:b1:7f:62:0d:d8:8e 44 | -----BEGIN CERTIFICATE----- 45 | MIIBeDCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy 46 | dmVyLWNhQDE2Njg3MTg2OTQwHhcNMjIxMTE3MjA1ODE0WhcNMzIxMTE0MjA1ODE0 47 | WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2Njg3MTg2OTQwWTATBgcqhkjO 48 | PQIBBggqhkjOPQMBBwNCAAR5OuZxuzuCu0pCwlUwVrpCzAKXeRMdUD7V2P3hXcgj 49 | PHgbQBGYVlwDShy8vpaJArGb1HLGC60qAkQ0O5ahluXuo0IwQDAOBgNVHQ8BAf8E 50 | BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmMxYTUugYaNzTIaEgvlf 51 | 05VedPMwCgYIKoZIzj0EAwIDSQAwRgIhALeKSae54aAde63sN66m4w+xH3wtYAJS 52 | 2zLtsEjKNdE2AiEA9dwcjBEesTpArw6Avq4FNgsDHAg9viR9hHWxf2IN2I4= 53 | -----END CERTIFICATE----- 54 | ``` 55 | 56 | Content of the Istiod ServiceAccount JWT token. 57 | 58 | ```console 59 | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $(cat istiod1.jwt) 60 | ``` 61 | 62 | ```json 63 | { 64 | "alg": "RS256", 65 | "kid": "Yf1kXn44WKQpqBoRlIY-_CD3187pbKgLRDgTGgr3Erc" 66 | } 67 | { 68 | "iss": "kubernetes/serviceaccount", 69 | "kubernetes.io/serviceaccount/namespace": "istio-system", 70 | "kubernetes.io/serviceaccount/secret.name": "istiod", 71 | "kubernetes.io/serviceaccount/service-account.name": "istiod", 72 | "kubernetes.io/serviceaccount/service-account.uid": "a7ed5518-73a1-4e35-bab5-a22e3d2e5008", 73 | "sub": "system:serviceaccount:istio-system:istiod" 74 | } 75 | ``` 76 | 77 | After you have set-up the vault configuration, you can test the kubernetes auth method. 78 | 79 | ```console 80 | AUTH_RESPONSE=$(curl --request POST --data "{\"jwt\": \"`cat istiod1.jwt`\", \"role\": \"istiod\"}" http://localhost:8200/v1/auth/kubernetes-cluster1/login) 81 | echo $AUTH_RESPONSE | jq 82 | ``` 83 | 84 | ```json 85 | { 86 | "request_id": "9ccea87c-064d-7178-bb44-c44cd89aa2ab", 87 | "lease_id": "", 88 | "renewable": false, 89 | "lease_duration": 0, 90 | "data": null, 91 | "wrap_info": null, 92 | "warnings": null, 93 | "auth": { 94 | "client_token": "hvs.CAESILOCPwIGzFX7EdX18x0rwJ3LNO8c8Q_Gp32npcWmvrwGGh4KHGh2cy5jUktUeW9WVWswTFJUN3dLQ2hzNVZZRU4", 95 | "accessor": "B1sP45E3Jf5wglL0r31LJT5k", 96 | "policies": [ 97 | "default", 98 | "istiod-certs-cluster1" 99 | ], 100 | "token_policies": [ 101 | "default", 102 | "istiod-certs-cluster1" 103 | ], 104 | "metadata": { 105 | "role": "istiod", 106 | "service_account_name": "istiod", 107 | "service_account_namespace": "istio-system", 108 | "service_account_secret_name": "istiod", 109 | "service_account_uid": "1edcbdc5-b5a2-44fa-a86d-3d4d384e7ae2" 110 | }, 111 | "lease_duration": 86400, 112 | "renewable": true, 113 | "entity_id": "9bf66db0-e625-b2f3-af45-751d4bac894e", 114 | "token_type": "service", 115 | "orphan": true, 116 | "mfa_requirement": null, 117 | "num_uses": 0 118 | } 119 | } 120 | ``` 121 | 122 | We can now use this token to fetch our istio certificates. 123 | 124 | ```console 125 | VAULT_TOKEN=$(echo $AUTH_RESPONSE | jq .auth.client_token --raw-output) 126 | curl --request GET --header "X-Vault-Token: $VAULT_TOKEN" http://localhost:8200/v1/kubernetes-cluster1-secrets/istiod-service/certs | jq 127 | ``` 128 | 129 | ```json 130 | { 131 | "request_id": "a42c5847-bb29-0c78-8298-b6628d7595cb", 132 | "lease_id": "", 133 | "renewable": false, 134 | "lease_duration": 2764800, 135 | "data": { 136 | "ca_cert": "-----BEGIN CERTIFICATE-----\nMIIFUjCCAzqgAwIBAgIJAN7fKYoUdoHWMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV\nBAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1NFoXDTI0\nMTExNjIyMDE1NFowRDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk\naWF0ZSBDQTEYMBYGA1UEBwwPaXN0aW9kLWNsdXN0ZXIxMIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEA0de2Lr+DhI0HlEcl6uDrJonpUttReh57ntNNLA4A\nH+7lb6LexQtw+byDQwlv4zId8yJ3nN5VntX5RLAlCAyOR1EPIkCYt2vnsK2lrp2P\nzJdETwjisDrBFmQHL3pl9iEU9fNru5+3ViPQEtCjyQsWEiuJHO5+ZWsRz7AeuN4I\nh4k41hahDRw9kNJTHngxxRoGAffsYQbuj6e8GLH0sBWp+D7SN7UBcoVFQr/Ui0fa\n66V+4ASGPVvijgTw0jRL1t7e0VguGX491M0gUUXf1TWfPqezct2bQTAb8+gwe2zf\nYpXVrcGEMSZmk7oBs+AJQlsq61eorKSX8FeOp+/Rz6/FN77bV51fqZ/tQiF4jJ7p\nh2lTz6upX/nO47N+QRsMRapEHsXReY0W3VS/WthbKhkNXvQw5MrZ4xg6QSVgRA4a\nsU23ZJ1KuUKgT2XsA/hL5L13kg8aa64y9azKSc2VHQe/N87MIhvzE1UD+Vn4928p\n9Oebq6+EiKBoAiUUG4OgssGOrL1YxU6X03yVwCFBAJdCfx+wjOE55MZonXxafbL2\n8yYNPEjWYiQZNrWuDnePCb5kS1XIoG7DZ7ta+WNutE+59pIyG6ECPZ7xJLYBquTa\n86hyKz59VdYVqAUYj+TYF81U3MWJCf1LSWEbe2Gg2Giy3dgaOCwifwXsFHn9WcSG\nPQkCAwEAAaNpMGcwHQYDVR0OBBYEFIUXcQuj9KKILV23iNGtPOTUmphDMBIGA1Ud\nEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmCF2lzdGlv\nZC5pc3Rpby1zeXN0ZW0uc3ZjMA0GCSqGSIb3DQEBCwUAA4ICAQC9Va6PpBpYji3A\nkscmFUjjR8Yi8HgCwLZgs6toy8RGMejM4ANsB22Kl/cYQx9YNODTTxd3GOqAPglB\nL2iqYP0+qJWU+h8u4n2Bgaz77DKmiIhKBhozeSUGltzFFK93zFwMhVEvlTOfwhgb\n2xS1iAAAGFvPYeJSRNwfTz59mFmIYErbjWIl+3pxjen0YD5AOntW+SkpJBfz7jqf\npvDEja1uP60kjSdqy4ppj6Dlo6/AwQpM2hbn1riD0MRcE56c0SNfuygfCpj/o2iu\nmmYHGPgoiN8MXM99GyJnQ3CZhl3MHlxZ2Uy7zln6h1OR8abLtyJjueu/7qbQi/+t\nJg8B4jg3ofZ4+Te+b+nmiJ06FQ2VpQSigpGTQQbsfkEM9Nio5+TaULLXyaazizD6\nYG1uIgxT14zRLkAcc+asT941qobHbshcqabqJQ3jeIeMAENBSTwtaQaY4HupCqGz\nUkca0gimyNa4U84CRzB6qkRA2Qu8mK4HggbzmzMLCIuCg2hALNw/HCZoN5lnT6ja\nbiTqljc00xswAlxKfmNtyUFd/Obsm5kdMG1Fc/gDwqeQoauzs2lO/ZJa8+AulJ3f\nPy9b7HnuhVI513gfjC/rueZiLWiz9SHToCZ1OEBhQ0+Gn1X1fCcb2/npDHrQ3WUJ\n1mNnbjvxR/Wi2cn30cQeb7BXEUCeWA==\n-----END CERTIFICATE-----\n", 137 | "ca_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKwIBAAKCAgEA0de2Lr+DhI0HlEcl6uDrJonpUttReh57ntNNLA4AH+7lb6Le\nxQtw+byDQwlv4zId8yJ3nN5VntX5RLAlCAyOR1EPIkCYt2vnsK2lrp2PzJdETwji\nsDrBFmQHL3pl9iEU9fNru5+3ViPQEtCjyQsWEiuJHO5+ZWsRz7AeuN4Ih4k41hah\nDRw9kNJTHngxxRoGAffsYQbuj6e8GLH0sBWp+D7SN7UBcoVFQr/Ui0fa66V+4ASG\nPVvijgTw0jRL1t7e0VguGX491M0gUUXf1TWfPqezct2bQTAb8+gwe2zfYpXVrcGE\nMSZmk7oBs+AJQlsq61eorKSX8FeOp+/Rz6/FN77bV51fqZ/tQiF4jJ7ph2lTz6up\nX/nO47N+QRsMRapEHsXReY0W3VS/WthbKhkNXvQw5MrZ4xg6QSVgRA4asU23ZJ1K\nuUKgT2XsA/hL5L13kg8aa64y9azKSc2VHQe/N87MIhvzE1UD+Vn4928p9Oebq6+E\niKBoAiUUG4OgssGOrL1YxU6X03yVwCFBAJdCfx+wjOE55MZonXxafbL28yYNPEjW\nYiQZNrWuDnePCb5kS1XIoG7DZ7ta+WNutE+59pIyG6ECPZ7xJLYBquTa86hyKz59\nVdYVqAUYj+TYF81U3MWJCf1LSWEbe2Gg2Giy3dgaOCwifwXsFHn9WcSGPQkCAwEA\nAQKCAgEAwDdYKnpDfqewyaJimURuIl8x2zQK7lH96v6jMjeg5Z9vi1MlvFk+o4SK\nuF1soDDIPm7UIl2HEHfwXXr8cOMPcURPGJETUvEEylJF8i1iC4aEi+EXxVYMiPYX\nnuX/f/XNvX28saEbz0v+zT1QylfdX8eBUX8lSMFLD3PEsJKyPXT1GyafX+L+giom\n+UIgVOwBlMwFOtueqvh61CQufx1ZFIx3A5BKQxzQ1NPjXbH0VubB0XJThOEmJfFg\npyxATBLbB+g+UhvRh5xefhQDdMoplLsJJa7ZCF2JPWLzBhw0g5m8oe0hqeQDEk7Q\nQHR4BtB8ABfL6lja1M1fX3XOOvBHNaB3Si5NVWVpYbuvni26NJ2YhytdINUDdfmd\nvsMB6PE3LJI2R66tWqlbH25bTf906FBJHAS19QDYqI3IW1j13ePrUZJy+pJL/olr\nacfm9LvnO/ToLebnhJllJzqD/Tt+j+LPwMd2/j5ZvTlJuU/OPDc2kU2yEMuCWzza\npMeXb/8yiy8Hn7triw/t303pZDyP0DyKPn2i1bH1kyi4191emiamyHKgPc++Cxt8\nerSJC7tnwQqdsbz8DOhmsDLdLLbQuHVwN2oZDGuRoov70UTI97oHE8FIWSHy3m43\n9VRffnBrtn3uQFyzpa2emhYzHLckAu1d5iyM5mIENX9J386yKgECggEBAOqvqsFc\n7Gslv2PIqu5DzqEZZXYyHwAv9XOwrAEos9orxlfjE4ZA3yc9Txy03OgP8L96CTUG\nA6EF8Out6vQbg80oPvnXbZiTZFNf9v9DDvNn/UrnMGF8xtWlB4P2pZlKhS2dlApB\nSper1LgxW2jYJbBJaCyvHtCRLYuXfr+xlzqwjgx4C8W79LjJ5bxnuu+dEvCMEQz3\nRxM5Eozwd7PghuMexM6SFC7Bqezjszfk1j6LlKppbEC3OqrKJgCXZbOh5R818Ga7\nnxo1iWkwB4+N1CEbB0SsWTeRaKsRIslvZ23gBcH0/9cf3fDPk51HV8vWqLhRB4Ua\noI0xk5dSphH1bZMCggEBAOTmcb+G0S+ZW0hByLqkNfORDAjTLRxmY54mUHVQjPSH\nkfnKiRNv4WyYqSsGHMUseetcVPnpu8CP1pyO90Dzeyy7rZANtqB4YJwxftXBnfb5\nPH4tn/F28+Kz/nfU0CIOTceHYB6OjY+qCc32m+pzDfb34/hywj+nuQmzU3n9D/e1\nruxLX7sHPKtDdsuz8OMxpkN/qRm2hmm4zNpZGY1R9LMZHU4nKxe/axsuJqOJuPBX\n6PHtaUkk+DxJNyqP8KO/Ks33nGCwAdeSm7g4Z4+YMPucIXvhP9mwdYWZ1U9ytPHV\n1XjHFUrKy6NQgxta7DyEFEytiqv/mcSxH7XpEXpEbHMCggEBALdrxmRMEQcJQJVn\nX5jK7DLi23bOY4ZM9WSPH0/klPSeI+3KrxbNmttbQnqoLMM+uiWc5pdHdQyjzREW\nI7zXyGJO4zF3mtOV1uKG7U/CBGxeyQuCt0BqOij+S2prGjA9mur07qA5OWhjRuUS\nxmOiE4q9RKsvz0CpRtSD+e8uiIi5NrwuEt1fMjw+p8xhsivWMthIUIc2uJkgkQwQ\nYS33/NSD1sOwTg/hEsLvj8HOm1fU1cN+k7ncuwCC78KkkTsc/CsxiAty9j2QvC22\n+SHMco/RRRP6M9yHTCvvP6X56PdqEHXv2wkygc7VHYTeHpNU2Rb9VYhFMFhJ+BVb\n5inBDPsCggEBAKbghn8OZ8Ve9ZipNRE1FIw869wnMRUqZGfxIOlWT10a1UaZ7PN5\ntou4hGR0cVcihMQdLWqBh7rsYpcC96mnmN5U+UUzajh1amGVCBYIsQRUUlDfLGMa\nyNU3SkbMpOyfJv9XZ7D/Vp8tZTZ+Gs+DD+REdzQzXgCQY6t5zFr8Lr71+tAUZ3dv\n4EAv0BTUW8MW+FLvaDXxxu6epuJs4N8Rp+dGYQIQNi97AzfunobNqkG2pYJzBjYo\nOL2i1xA1nkeS4D8GzUAEMWObY+GbZYzfdJ6LBjJNVoJ7TkKXk1b3lolUzuvdoF1F\nmc63rM2trNq1pCL+xkF89/rY8vhpMa/E4JcCggEBAMxLBkgUOAb007szuFyl6r5S\nmSdLUUiqJZJILjzmVL6WZARAgPGZQiAUd5a95wnBTxgnm5b4rTD8q8l0cSotUS8W\nYd8PewxAH9p+9cjEwq4ddHpxns68h+6vftaTb00ZF645l1EGng3Tkmd9sS1Z5XqK\nXMMrSkeIzEuI9BUR8hPTxBXlVKMjSe4iwC9VcS8Pxl454nmDfGiJmH6xIGupmntI\n3RERF+EsxAyVy902ij0whq66wAHNWPMbgpPKDvOINTN91vIah/QNxPhXhBpbfXDe\nhBns6fArR5xeuwR5bvuSgkdvUc5P6N2DvSK8dpFHcdWNleaZbv4q+V0dwoWSANM=\n-----END RSA PRIVATE KEY-----\n", 138 | "cert_chain": "-----BEGIN CERTIFICATE-----\nMIIFUjCCAzqgAwIBAgIJAN7fKYoUdoHWMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV\nBAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1NFoXDTI0\nMTExNjIyMDE1NFowRDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk\naWF0ZSBDQTEYMBYGA1UEBwwPaXN0aW9kLWNsdXN0ZXIxMIICIjANBgkqhkiG9w0B\nAQEFAAOCAg8AMIICCgKCAgEA0de2Lr+DhI0HlEcl6uDrJonpUttReh57ntNNLA4A\nH+7lb6LexQtw+byDQwlv4zId8yJ3nN5VntX5RLAlCAyOR1EPIkCYt2vnsK2lrp2P\nzJdETwjisDrBFmQHL3pl9iEU9fNru5+3ViPQEtCjyQsWEiuJHO5+ZWsRz7AeuN4I\nh4k41hahDRw9kNJTHngxxRoGAffsYQbuj6e8GLH0sBWp+D7SN7UBcoVFQr/Ui0fa\n66V+4ASGPVvijgTw0jRL1t7e0VguGX491M0gUUXf1TWfPqezct2bQTAb8+gwe2zf\nYpXVrcGEMSZmk7oBs+AJQlsq61eorKSX8FeOp+/Rz6/FN77bV51fqZ/tQiF4jJ7p\nh2lTz6upX/nO47N+QRsMRapEHsXReY0W3VS/WthbKhkNXvQw5MrZ4xg6QSVgRA4a\nsU23ZJ1KuUKgT2XsA/hL5L13kg8aa64y9azKSc2VHQe/N87MIhvzE1UD+Vn4928p\n9Oebq6+EiKBoAiUUG4OgssGOrL1YxU6X03yVwCFBAJdCfx+wjOE55MZonXxafbL2\n8yYNPEjWYiQZNrWuDnePCb5kS1XIoG7DZ7ta+WNutE+59pIyG6ECPZ7xJLYBquTa\n86hyKz59VdYVqAUYj+TYF81U3MWJCf1LSWEbe2Gg2Giy3dgaOCwifwXsFHn9WcSG\nPQkCAwEAAaNpMGcwHQYDVR0OBBYEFIUXcQuj9KKILV23iNGtPOTUmphDMBIGA1Ud\nEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgLkMCIGA1UdEQQbMBmCF2lzdGlv\nZC5pc3Rpby1zeXN0ZW0uc3ZjMA0GCSqGSIb3DQEBCwUAA4ICAQC9Va6PpBpYji3A\nkscmFUjjR8Yi8HgCwLZgs6toy8RGMejM4ANsB22Kl/cYQx9YNODTTxd3GOqAPglB\nL2iqYP0+qJWU+h8u4n2Bgaz77DKmiIhKBhozeSUGltzFFK93zFwMhVEvlTOfwhgb\n2xS1iAAAGFvPYeJSRNwfTz59mFmIYErbjWIl+3pxjen0YD5AOntW+SkpJBfz7jqf\npvDEja1uP60kjSdqy4ppj6Dlo6/AwQpM2hbn1riD0MRcE56c0SNfuygfCpj/o2iu\nmmYHGPgoiN8MXM99GyJnQ3CZhl3MHlxZ2Uy7zln6h1OR8abLtyJjueu/7qbQi/+t\nJg8B4jg3ofZ4+Te+b+nmiJ06FQ2VpQSigpGTQQbsfkEM9Nio5+TaULLXyaazizD6\nYG1uIgxT14zRLkAcc+asT941qobHbshcqabqJQ3jeIeMAENBSTwtaQaY4HupCqGz\nUkca0gimyNa4U84CRzB6qkRA2Qu8mK4HggbzmzMLCIuCg2hALNw/HCZoN5lnT6ja\nbiTqljc00xswAlxKfmNtyUFd/Obsm5kdMG1Fc/gDwqeQoauzs2lO/ZJa8+AulJ3f\nPy9b7HnuhVI513gfjC/rueZiLWiz9SHToCZ1OEBhQ0+Gn1X1fCcb2/npDHrQ3WUJ\n1mNnbjvxR/Wi2cn30cQeb7BXEUCeWA==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV\nBAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy\nMTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew\nggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw\ntQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV\nyMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+\n9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va\ninK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM\nfsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI\nIGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062\nB1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6\n/WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG\n/KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS\nv+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5\nOC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l\nWDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI\nhvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx\nqGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ\nZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs\nYDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K\nVsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd\npFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP\n4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR\nE49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U\nYpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ\nlUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU\ncO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6\n-----END CERTIFICATE-----\n", 139 | "root_cert": "-----BEGIN CERTIFICATE-----\nMIIFCTCCAvGgAwIBAgIJAPW81+ib22JIMA0GCSqGSIb3DQEBCwUAMCIxDjAMBgNV\nBAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMTExNzIyMDE1MloXDTMy\nMTExNDIyMDE1MlowIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew\nggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDSzeKUVYad9rExNis/ufhw\ntQHd9P8SEuq9DBNJBxfo2wRt6QyCsLIekCjH0GIPLp3UWj03i9JDauPFXWvMrQTV\nyMG9sjEmhvUlIGAe6w+4fLvljLSmLQeWTVgQUxiDk7bM2OC3+e+sxOGoKDME5dp+\n9od7YuEOmc5WnNF3sFqEkf2E+KB1FQg/PpyilBJSnYLXGasb3OWJE03EOj+mC8va\ninK0u6xw81fcrlDuBHeh3meB8ud7ovY+ZAPqhRWUY4dz3CuGXN5PWCHaUSDNrzKM\nfsHnem8XnG+5Ws4Og9bavlKXf7SvJlpLrn6Y1XC3kdFiWoG4Kf1rAYACiBTH24HI\nIGrLlGXMBtEkMO/RjsV4kSJqkdSkeryvVnZaI5nGXyxvNdUzmmM3qqbS62aQA062\nB1GuIM49DB7xma5Lue1qRxBopOJVGmzcNKDpZ9+HiikReS/fl0A6Z+Sk3sbl2VP6\n/WbpZ7LuuSZkkzAbs+PgsmkQu2hGIk//Aw8xBSqJN5K9lQBrBfKfkyVdPK7WkUNG\n/KinEMmWgQ9LHzXTdeJzvD3aV6Zz1BBVWgaFny7xEbIg8+46Y58oIPfrqtsmd9tS\nv+OkyJjDvArVi4ErG72AriiY1zK1MemLScnGKWQmwCT6Y1foH3nFqJcnSfUzgCh5\nOC6Y7eWo3D1UQWGNlvkkwQIDAQABo0IwQDAdBgNVHQ4EFgQUf19JeG8G9jDhTa4l\nWDm/zyjeyc8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI\nhvcNAQELBQADggIBAJX1TUFtaS39OorE3oOKazttc30kcaMaBeva8DVVucG6OZKx\nqGOjEblmTsdqGYbJ7aoG1bz3LrdkZoViE953sVvq4Yf4ZJx7rORGtNKsWi7FAOEJ\nZIqLDLQk8LUZzNjaFxxa4urqC6tw4x5jcG086nUmIjCN0/z2dyIGozWIKUSL8URs\nYDlXqDQTEZg8qrhWisIdyO5qpkCLslTcGVl3Kq3wzEZxkky3Asc70vob9ine7O7K\nVsgb3Wkcp2FzgoSH7zvhELwePnBfAgY3UlWkqA8MSJbS9C3QdRf+nzrVNfANj/Gd\npFBdJ/blnYyqyba38oHgMFuEFSX2tXOm9LD0PB6qnVyWC2lMFZCjjQzohirgTenP\n4c5q0M4t7ZOtA+USK0v+pMzivgLdaYdjViUKcud62E19gIDQwUxWkkDySAYmrakR\nE49Ai0bx7uuLyf+5RHSWw3B9RAGNg1KBYe2ysLIh8tC1ov5xlBLnmssmK/HP619U\nYpINph/MXXHVe/VXbTTNVdhd6qM8wb48dvd3U2MXVqLSlfi51AJsugKAF0AThLCJ\nlUOgIOyMX2+UTc1Ci3t46xBbEzGWssMmyzwXkBoMJ5v/+FnNABqyE//JPNZt1/DU\ncO1F6NLHd5wXO9f2DjTrgjEqN9DgE3Kg0G5i5k2CqXvbImL6ZpZhu3A4MRs6\n-----END CERTIFICATE-----\n" 140 | }, 141 | "wrap_info": null, 142 | "warnings": null, 143 | "auth": null 144 | } 145 | ``` 146 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Vaulted Istio Certificates 2 | 3 | 4 | ## Introduction 5 | 6 | This walkthrough explores how to avoid using Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret) in order to store Istio Certificates. By default, secrets are stored in etcd using base64 encoding. In environments with stringent security policies, this might not be acceptable, so additional security measures are needed to protect them. One such solution includes storing secrets in an external secret store provider, like [HashiCorp Vault](https://www.vaultproject.io). 7 | 8 | HashiCorp Vault can be hosted both inside and outside a kubernetes cluster. In this case, we will explore the use case where Vault is hosted outside kubernetes, so that it could actually provision secrets to multiple clusters at once. The set-up that we will build here, is thereby also an ideal upstep to explore istio's [multi-cluster feature](https://istio.io/latest/docs/setup/install/multicluster), which requires a shared trust domain. 9 | 10 | Leveraging the `vault-agent-init` container, we can inject certificates and private key material into the actual istio control plane pods, so they are bootstrapped with the external CA certificates. This avoids the dependency on Secrets to bootstrap the istio control plane. Exactly the same technique can be used for ingress and egress certificates. 11 | 12 | More information on how certificates are used and managed within Istio, can be found in the official documentation: 13 | - [Identity and certificate management](https://istio.io/latest/docs/concepts/security/#pki) 14 | - [Plug in CA Certificates](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert) 15 | - [Custom CA Integration using Kubernetes CSR](https://istio.io/latest/docs/tasks/security/cert-management/custom-ca-k8s) 16 | 17 | For best practices based on real-life production experience, also check out the following [Tetrate](https://tetrate.io) blog posts: 18 | - [Trusting trust: Root Istio’s trust in your existing PKI](https://tetrate.io/blog/istio-trust) 19 | - [Automate Istio CA rotation in production at scale](https://tetrate.io/blog/automate-istio-ca-rotation-in-production-at-scale) 20 | 21 | 22 | The code accompanying this blog post can be found at the following repository: 23 | > https://github.com/tetratelabs/istio-vault-ext-certs 24 | 25 |
26 | 27 | ### Istiod certificate handling 28 | 29 | Although some of the decision logic is explained in the forementioned blogposts, it is worthwhile to also refer to the [source code](https://github.com/istio/istio/blob/master/pilot/pkg/bootstrap/istio_ca.go) to find some undocumented behavior. 30 | 31 | 32 | ```go 33 | // istio/pilot/pkg/bootstrap/istio_ca.go 34 | // 35 | // For backward compat, will preserve support for the "cacerts" Secret used for self-signed certificates. 36 | // It is mounted in the same location, and if found will be used - creating the secret is sufficient, no need for 37 | // extra options. 38 | // 39 | // In old installer, the LocalCertDir is hardcoded to /etc/cacerts and mounted from "cacerts" secret. 40 | // 41 | // Support for signing other root CA has been removed - too dangerous, no clear use case. 42 | // 43 | // Default config, for backward compat with Citadel: 44 | // - if "cacerts" secret exists in istio-system, will be mounted. It may contain an optional "root-cert.pem", 45 | // with additional roots and optional {ca-key, ca-cert, cert-chain}.pem user-provided root CA. 46 | // - if user-provided root CA is not found, the Secret "istio-ca-secret" is used, with ca-cert.pem and ca-key.pem files. 47 | // - if neither is found, istio-ca-secret will be created. 48 | // - a config map "istio-security" with a "caTLSRootCert" file will be used for root cert, and created if needed. 49 | // The config map was used by node agent - no longer possible to use in sds-agent, but we still save it for 50 | // backward compat. Will be removed with the node-agent. sds-agent is calling NewCitadelClient directly, using 51 | // K8S root. 52 | ``` 53 | 54 | In order to instruct istio to pick up our certificates elsewhere compared to the standard kubernetes secrets, we will leverage an environment variable (documented [here](https://istio.io/latest/docs/reference/commands/pilot-discovery)) for `istio-pilot` (aka `istiod` or the istio control plane), so certificates will be picked up from an alternative location within the Kubernetes POD. This is needed because the `vault-agent-init` injection container will create a new mounted volume `/vault/secrets` to drop the certificates and private key we instrument it to pull from the external vault server. 55 | 56 | | Variable Name | Type | Default Value | Description | 57 | |---------------|--------|---------------|----------------------------------------| 58 | | `ROOT_CA_DIR` | String | /etc/cacerts | Location of a local or mounted CA root | 59 | 60 |
61 | 62 | ### Pod annotations for vault-agent-init 63 | 64 | We will be leveraging vault injector annotations to instruct the sidecar what data to pull and what vault role to use when doing so. We also make sure the `vault-agent-init` container is run before our actual `istiod` main containers, so the latter can pick up the certificates and key material to bootstrap itself correctly. Vault annotations are enumerated and documented [here](https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations). The relevant annotations we will be using in this tutorial are the following. 65 | 66 | | Annotation | Default Value | Description | 67 | |------------|---------------|-------------| 68 | | `vault.hashicorp.com/agent-inject` | "false" | configures whether injection is explicitly enabled or disabled for a pod. This should be set to a true or false value. | 69 | | `vault.hashicorp.com/agent-init-first` | "false" | configures the pod to run the Vault Agent init container first if true (last if false). This is useful when other init containers need pre-populated secrets. This should be set to a true or false value. | 70 | | `vault.hashicorp.com/role` | - | configures the Vault role used by the Vault Agent auto-auth method. Required when `vault.hashicorp.com/agent-configmap` is not set. | 71 | | `vault.hashicorp.com/auth-path` | - | configures the authentication path for the Kubernetes auth method. Defaults to auth/kubernetes. | 72 | | `vault.hashicorp.com/agent-inject-secret-` | - | configures Vault Agent to retrieve the secrets from Vault required by the container. The name of the secret is any unique string after `vault.hashicorp.com/agent-inject-secret-`, such as `vault.hashicorp.com/agent-inject-secret-foobar`. The value is the path in Vault where the secret is located. | 73 | | `vault.hashicorp.com/agent-inject-template-` | - | configures the template Vault Agent should use for rendering a secret. The name of the template is any unique string after `vault.hashicorp.com/agent-inject-template-`, such as `vault.hashicorp.com/agent-inject-template-foobar`. This should map to the same unique value provided in `vault.hashicorp.com/agent-inject-secret-`. If not provided, a default generic template is used. | 74 | 75 |
76 | 77 | ### Vault server considerations 78 | 79 | Vault supports several methods for clients to authenticate themselves. We will be leveraging the [kubernetes auth backend](https://developer.hashicorp.com/vault/docs/auth/kubernetes), which means we will be leveraging kubernetes ServiceAccount JWT token validation. Please note that ServiceAccount tokens are no longer automatically generated since kubernetes 1.24. You can still create those API tokens manually, as documented [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount). 80 | 81 | As to storage of our certificate and private key material we have 2 options: 82 | - [PKI Secrets Engine](https://developer.hashicorp.com/vault/docs/secrets/pki) 83 | - [KV Secrets Engine](https://developer.hashicorp.com/vault/docs/secrets/kv) 84 | 85 | Because the PKI secret engine does not provide clean-cut APIs to retrieve the certificates and the private key we need, and because the PKI secret engine will generate a new intermediate certificate for every call (eg every `istiod` restart), we will be using the generic KV secret engine instead, storing all the values we need in a simple key-value data structure. We will assume the renewal of intermediate certificates is handled out-of-band through some service portal or CI/CD process that will store the renewed intermediate certificates in the vault server as well. 86 | 87 | Istio's controlplane pods need the following files in order to bootstrap its build in CA correctly. 88 | 89 | | key | value (PEM encoded) | details | 90 | |-----|---------------------|---------| 91 | | ca-key.pem | CA private key | private key of the intermediate cert, used as root CA for istiod | 92 | | ca-cert.pem | CA public certificate | intermediate cert, used as root CA for istiod | 93 | | root-cert.pem | CA root certificate | the root of trust of our newly generated intermediate cert | 94 | | cert-chain.pem | Full certificate chain | intermediate cert at the top, root cert at the bottom | 95 | 96 |
97 |
98 | 99 | ## Setup 100 | 101 | ### Prerequisites 102 | 103 | Prerequisites in terms of installed software, if you want to follow the local set-up, include: 104 | 105 | - `kubectl` to interact with the kubernetes clusters ([download](https://kubernetes.io/docs/tasks/tools/#kubectl)) 106 | - `helm` to install vault injector and istio charts ([download](https://helm.sh/docs/intro/install)) 107 | - `vault` cli tool to configure the vault server ([download](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install#install-vault)) 108 | 109 | If you want a local demo environment, please follow the instructions [here](local-setup.md), which use `docker-compose` to spin up a vault server and two separate k3s clusters. In case you bring your own kubernetes clusters and an externally hosted vault instance, skip ahead to the next section. 110 | 111 | - `docker-compose` to spin-up a local environment ([download](https://github.com/docker/compose/releases)) 112 | 113 | In order to progress, we expect the following shell variables to be set according to your environment. 114 | 115 | ```console 116 | export VAULT_SERVER= 117 | export K8S_API_SERVER_1= 118 | export K8S_API_SERVER_2= 119 | ``` 120 | 121 | ### Vault kubernetes auth backend 122 | 123 | As mentioned in the introduction section on [vault server considerations](#vault-server-considerations), we will be using the [kubernetes auth backend](https://developer.hashicorp.com/vault/docs/auth/kubernetes). Since `istiod` will be fetching the certificates and private key material from the vault server, let's start off by creating the corresponding service accounts in both clusters. 124 | 125 | ```console 126 | kubectl --kubeconfig kubecfg1.yml create ns istio-system 127 | kubectl --kubeconfig kubecfg2.yml create ns istio-system 128 | kubectl --kubeconfig kubecfg1.yml apply -f istio-sa.yml 129 | kubectl --kubeconfig kubecfg2.yml apply -f istio-sa.yml 130 | ``` 131 | 132 | ServiceAccount, Secret and ClusterRoleBinding as below. 133 | 134 | ```yaml 135 | # istio-sa.yaml 136 | apiVersion: v1 137 | kind: ServiceAccount 138 | metadata: 139 | name: istiod 140 | namespace: istio-system 141 | labels: # added for istio helm installation 142 | app: istiod 143 | app.kubernetes.io/managed-by: Helm 144 | release: istio-istiod 145 | annotations: # added for istio helm installation 146 | meta.helm.sh/release-name: istio-istiod 147 | meta.helm.sh/release-namespace: istio-system 148 | --- 149 | apiVersion: v1 150 | kind: Secret 151 | metadata: 152 | name: istiod 153 | namespace: istio-system 154 | annotations: 155 | kubernetes.io/service-account.name: istiod 156 | type: kubernetes.io/service-account-token 157 | --- 158 | apiVersion: rbac.authorization.k8s.io/v1 159 | kind: ClusterRoleBinding 160 | metadata: 161 | name: role-tokenreview-binding 162 | roleRef: 163 | apiGroup: rbac.authorization.k8s.io 164 | kind: ClusterRole 165 | name: system:auth-delegator 166 | subjects: 167 | - kind: ServiceAccount 168 | name: istiod 169 | namespace: istio-system 170 | ``` 171 | 172 | > **NOTE:** We added helm labels and annotations on the `istiod` ServiceAccount in order not to have conflicts with our istio helm deployment later on. 173 | 174 | Once the ServiceAccount in both clusters is created, let's store their Secret `token` and `ca.cert` values in an output folder. 175 | 176 | ```console 177 | mkdir -p ./output 178 | kubectl --kubeconfig kubecfg1.yml get secret -n istio-system istiod -o go-template="{{ .data.token }}" | base64 --decode > output/istiod1.jwt 179 | kubectl --kubeconfig kubecfg1.yml config view --raw --minify --flatten -o jsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 --decode > output/k8sapi-cert1.pem 180 | kubectl --kubeconfig kubecfg2.yml get secret -n istio-system istiod -o go-template="{{ .data.token }}" | base64 --decode > output/istiod2.jwt 181 | kubectl --kubeconfig kubecfg2.yml config view --raw --minify --flatten -o jsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 --decode > output/k8sapi-cert2.pem 182 | ``` 183 | 184 | More information on the detailed content of the kubernetes API certificate and the `istiod` ServiceAccount JWT token can be found [here](output), where we also describe the vault interaction process in more depth in terms of REST API calls made to authenticate and fetch secrets. These can come in handy when debugging permission denied issues. 185 | 186 | Let's create the necessary vault auth configuration based on the kubernetes CA certs and JWT tokens just retrieved. 187 | 188 | ```console 189 | export VAULT_ADDR=http://localhost:8200 190 | vault login root 191 | vault auth enable --path=kubernetes-cluster1 kubernetes 192 | vault auth enable --path=kubernetes-cluster2 kubernetes 193 | vault write auth/kubernetes-cluster1/config \ 194 | kubernetes_host="$K8S_API_SERVER_1" \ 195 | kubernetes_ca_cert=@output/k8sapi-cert1.pem \ 196 | token_reviewer_jwt=`cat output/istiod1.jwt` \ 197 | disable_local_ca_jwt="true" 198 | vault write auth/kubernetes-cluster2/config \ 199 | kubernetes_host="$K8S_API_SERVER_2" \ 200 | kubernetes_ca_cert=@output/k8sapi-cert2.pem \ 201 | token_reviewer_jwt=`cat output/istiod2.jwt` \ 202 | disable_local_ca_jwt="true" 203 | ``` 204 | 205 | > **NOTE:** `VAULT_ADDR` is set to localhost in case you are using the `docker-compose` provided environment. Set this to `$VAULT_SERVER` in case you brought your own vault server. 206 | 207 |
208 | 209 | ### Istio certificates and private key in vault kv secrets 210 | 211 | Next we will create a new self-signed root certificate and generate intermediate certificates for both our clusters. We will be using the helper `makefile` scripts provided by upstream istio [here](https://github.com/istio/istio/tree/master/tools/certs). 212 | 213 | ```console 214 | cd certs 215 | make -f ../certs-gen/Makefile.selfsigned.mk root-ca 216 | make -f ../certs-gen/Makefile.selfsigned.mk istiod-cluster1-cacerts 217 | make -f ../certs-gen/Makefile.selfsigned.mk istiod-cluster2-cacerts 218 | cd .. 219 | ``` 220 | 221 | More details on the actual content and the X509v3 extensions being set, can be found [here](certs). You can fine-tune the certificate generation, by the `Makefile` documentation [here](certs-gen) and corresponding `Makefile` override values. 222 | 223 | Let's add the generated certificates and private key into vault kv secrets. 224 | 225 | ```console 226 | export VAULT_ADDR=http://localhost:8200 227 | vault login root 228 | vault secrets enable -path=kubernetes-cluster1-secrets kv 229 | vault secrets enable -path=kubernetes-cluster2-secrets kv 230 | vault kv put kubernetes-cluster1-secrets/istiod-service/certs \ 231 | ca_key=@certs/istiod-cluster1/ca-key.pem \ 232 | ca_cert=@certs/istiod-cluster1/ca-cert.pem \ 233 | cert_chain=@certs/istiod-cluster1/cert-chain.pem \ 234 | root_cert=@certs/istiod-cluster1/root-cert.pem 235 | vault kv put kubernetes-cluster2-secrets/istiod-service/certs \ 236 | ca_key=@certs/istiod-cluster2/ca-key.pem \ 237 | ca_cert=@certs/istiod-cluster2/ca-cert.pem \ 238 | cert_chain=@certs/istiod-cluster2/cert-chain.pem \ 239 | root_cert=@certs/istiod-cluster2/root-cert.pem 240 | ``` 241 | 242 | Move on by restricting access to those certificates and private key per cluster, bound to the kubernetes `istiod` ServiceAccount based auth backend. 243 | 244 | ```console 245 | echo 'path "kubernetes-cluster1-secrets/istiod-service/certs" { 246 | capabilities = ["read"] 247 | }' | vault policy write istiod-certs-cluster1 - 248 | echo 'path "kubernetes-cluster2-secrets/istiod-service/certs" { 249 | capabilities = ["read"] 250 | }' | vault policy write istiod-certs-cluster2 - 251 | vault write auth/kubernetes-cluster1/role/istiod \ 252 | bound_service_account_names=istiod \ 253 | bound_service_account_namespaces=istio-system \ 254 | policies=istiod-certs-cluster1 \ 255 | ttl=24h 256 | vault write auth/kubernetes-cluster2/role/istiod \ 257 | bound_service_account_names=istiod \ 258 | bound_service_account_namespaces=istio-system \ 259 | policies=istiod-certs-cluster2 \ 260 | ttl=24h 261 | ``` 262 | 263 |
264 | 265 | ### Deploy vault-injector and istio helm charts 266 | 267 | In order to deploy the vault injector, we will be leveraging the official vault [helm charts](https://github.com/hashicorp/vault-helm). 268 | 269 | ```console 270 | helm repo add hashicorp https://helm.releases.hashicorp.com 271 | helm repo update 272 | kubectl --kubeconfig kubecfg1.yml create ns vault 273 | kubectl --kubeconfig kubecfg2.yml create ns vault 274 | helm --kubeconfig kubecfg1.yml install -n vault vault-inject hashicorp/vault --set "injector.externalVaultAddr=$VAULT_SERVER" 275 | helm --kubeconfig kubecfg2.yml install -n vault vault-inject hashicorp/vault --set "injector.externalVaultAddr=$VAULT_SERVER" 276 | kubectl --kubeconfig kubecfg1.yml -n vault get pods 277 | kubectl --kubeconfig kubecfg2.yml -n vault get pods 278 | ``` 279 | 280 | ``` 281 | NAME READY STATUS RESTARTS AGE 282 | vault-inject-agent-injector-5776975795-9vt9w 1/1 Running 0 92s 283 | NAME READY STATUS RESTARTS AGE 284 | vault-inject-agent-injector-5776975795-9vjnx 1/1 Running 0 91s 285 | ``` 286 | 287 | 288 | To install istio, we will be using the Tetrate Istio Distribution [helm charts](https://github.com/tetratelabs/helm-charts). 289 | 290 | ```console 291 | helm repo add tetratelabs https://tetratelabs.github.io/helm-charts 292 | helm repo update 293 | helm --kubeconfig kubecfg1.yml install -n istio-system istio-base tetratelabs/base 294 | helm --kubeconfig kubecfg2.yml install -n istio-system istio-base tetratelabs/base 295 | helm --kubeconfig kubecfg1.yml install -n istio-system istio-istiod tetratelabs/istiod --values=./cluster1-values.yaml 296 | helm --kubeconfig kubecfg2.yml install -n istio-system istio-istiod tetratelabs/istiod --values=./cluster2-values.yaml 297 | kubectl --kubeconfig kubecfg1.yml -n istio-system get pods 298 | kubectl --kubeconfig kubecfg2.yml -n istio-system get pods 299 | ``` 300 | 301 | Note how we leverage several istio helm chart value overrides to accomplish our desired goal. 302 | - inject a pilot pod environment variable `ROOT_CA_DIR` to tell `istiod` where to fetch certificates and private key 303 | - tell the `vault-agent-init` container to run before `istiod` container, so the secrets are available within the `/vault/secrets` mounted volume 304 | - instruct the vault injector to fetch secrets based on the correct location and data keys 305 | - assume the vault `istiod` role while doing so 306 | - override the default kubernetes `auth-path`, because we have multiple clusters 307 | 308 | ```yaml 309 | pilot: 310 | env: 311 | ROOT_CA_DIR: /vault/secrets 312 | podAnnotations: 313 | vault.hashicorp.com/agent-inject: "true" 314 | vault.hashicorp.com/agent-init-first: "true" 315 | vault.hashicorp.com/agent-inject-secret-ca-key.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 316 | vault.hashicorp.com/agent-inject-template-ca-key.pem: | 317 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 318 | {{ .Data.ca_key }} 319 | {{ end -}} 320 | vault.hashicorp.com/agent-inject-secret-ca-cert.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 321 | vault.hashicorp.com/agent-inject-template-ca-cert.pem: | 322 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 323 | {{ .Data.ca_cert }} 324 | {{ end -}} 325 | vault.hashicorp.com/agent-inject-secret-root-cert.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 326 | vault.hashicorp.com/agent-inject-template-root-cert.pem: | 327 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 328 | {{ .Data.root_cert }} 329 | {{ end -}} 330 | vault.hashicorp.com/agent-inject-secret-cert-chain.pem: "kubernetes-cluster1-secrets/istiod-service/certs" 331 | vault.hashicorp.com/agent-inject-template-cert-chain.pem: | 332 | {{- with secret "kubernetes-cluster1-secrets/istiod-service/certs" -}} 333 | {{ .Data.cert_chain }} 334 | {{ end -}} 335 | vault.hashicorp.com/role: "istiod" 336 | vault.hashicorp.com/auth-path: "auth/kubernetes-cluster1" 337 | ``` 338 | 339 | When we look at the `vault-agent-init` container traces, we should see something like this. Our control plane has correctly picked up the vault injected secrets. 340 | 341 | ```console 342 | kubectl --kubeconfig kubecfg1.yml logs -n istio-system -l app=istiod -c vault-agent-init --tail=-1 343 | ``` 344 | 345 | ``` 346 | ==> Vault agent started! Log data will stream in below: 347 | 348 | ==> Vault agent configuration: 349 | 350 | Cgo: disabled 351 | Log Level: info 352 | Version: Vault v1.12.0, built 2022-10-10T18:14:33Z 353 | Version Sha: 558abfa75702b5dab4c98e86b802fb9aef43b0eb 354 | 355 | 2022-11-18T11:01:21.398Z [INFO] sink.file: creating file sink 356 | 2022-11-18T11:01:21.398Z [INFO] sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r----- 357 | 2022-11-18T11:01:21.398Z [INFO] template.server: starting template server 358 | 2022-11-18T11:01:21.398Z [INFO] sink.server: starting sink server 359 | 2022-11-18T11:01:21.398Z [INFO] auth.handler: starting auth handler 360 | 2022-11-18T11:01:21.398Z [INFO] auth.handler: authenticating 361 | 2022-11-18T11:01:21.398Z [INFO] (runner) creating new runner (dry: false, once: false) 362 | 2022-11-18T11:01:21.398Z [INFO] (runner) creating watcher 363 | 2022-11-18T11:01:21.402Z [INFO] auth.handler: authentication successful, sending token to sinks 364 | 2022-11-18T11:01:21.402Z [INFO] auth.handler: starting renewal process 365 | 2022-11-18T11:01:21.402Z [INFO] sink.file: token written: path=/home/vault/.vault-token 366 | 2022-11-18T11:01:21.402Z [INFO] sink.server: sink server stopped 367 | 2022-11-18T11:01:21.402Z [INFO] sinks finished, exiting 368 | 2022-11-18T11:01:21.402Z [INFO] template.server: template server received new token 369 | 2022-11-18T11:01:21.402Z [INFO] (runner) stopping 370 | 2022-11-18T11:01:21.402Z [INFO] (runner) creating new runner (dry: false, once: false) 371 | 2022-11-18T11:01:21.402Z [INFO] (runner) creating watcher 372 | 2022-11-18T11:01:21.402Z [INFO] (runner) starting 373 | 2022-11-18T11:01:21.403Z [INFO] auth.handler: renewed auth token 374 | 2022-11-18T11:01:21.515Z [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/root-cert.pem" 375 | 2022-11-18T11:01:21.515Z [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/ca-cert.pem" 376 | 2022-11-18T11:01:21.515Z [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/cert-chain.pem" 377 | 2022-11-18T11:01:21.516Z [INFO] (runner) rendered "(dynamic)" => "/vault/secrets/ca-key.pem" 378 | 2022-11-18T11:01:21.516Z [INFO] (runner) stopping 379 | 2022-11-18T11:01:21.516Z [INFO] template.server: template server stopped 380 | 2022-11-18T11:01:21.516Z [INFO] (runner) received finish 381 | 2022-11-18T11:01:21.516Z [INFO] auth.handler: shutdown triggered, stopping lifetime watcher 382 | 2022-11-18T11:01:21.516Z [INFO] auth.handler: auth handler stopped 383 | ``` 384 | 385 | When we look at the `discovery` container traces, we should see something like this. 386 | 387 | ```console 388 | kubectl --kubeconfig kubecfg1.yml logs -n istio-system -l app=istiod -c discovery --tail=-1 389 | ``` 390 | 391 | ``` 392 | info Using istiod file format for signing ca files 393 | info Use plugged-in cert at /vault/secrets/ca-key.pem 394 | info x509 cert - Issuer: "CN=Intermediate CA,O=Istio,L=istiod-cluster1", Subject: "", SN: 39f67569f10d36a1fc91e9d82156b07d, NotBefore: "2022-11-18T11:11:59Z", NotAfter: "2032-11-15T11:13:59Z" 395 | info x509 cert - Issuer: "CN=Root CA,O=Istio", Subject: "CN=Intermediate CA,O=Istio,L=istiod-cluster1", SN: dedf298a147681d6, NotBefore: "2022-11-17T22:01:54Z", NotAfter: "2024-11-16T22:01:54Z" 396 | info x509 cert - Issuer: "CN=Root CA,O=Istio", Subject: "CN=Root CA,O=Istio", SN: f5bcd7e89bdb6248, NotBefore: "2022-11-17T22:01:52Z", NotAfter: "2032-11-14T22:01:52Z" 397 | info Istiod certificates are reloaded 398 | info spiffe Added 1 certs to trust domain cluster.local in peer cert verifier 399 | ``` 400 | 401 | We can see that our istio control plane has correctly picked up our vault injects certificates and private key. Mission accomplished! 402 | 403 | 404 | ## Conclusion 405 | 406 | In this blog we have successfully bootstrapped the istio control plane with external vault stored certificates and private keys. The steps to achieve this included: 407 | - storing the certificates and private key in per cluster dedicated vault secret mount paths 408 | - setup kubernetes vault auth backends per cluster, linked to the proper ServiceAccount 409 | - define a proper role and policy to allow access from the `istiod` ServiceAccount to the vault secrets 410 | - adjust istio `pilot` bootstrap parameters to 411 | - inject the `vault-agent-init` sidecars 412 | - fetch the correct vault secrets containing our certificates and private key 413 | - using the right role and auth backend to do so 414 | - pickup the certificates and private key from the correct vault secret mount path 415 | 416 | We can use exactly the same technique to inject `ingress-gateway` and `egress-gateway` certificates. When creating istio [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings) objects, make sure to point `serverCertificate`, `privateKey` and `caCertificates` to the correct files within the `/vault/secrets` mounted volume. We'll leave this as an exercise for the reader. 417 | 418 | By tying our certificate injection to kubernetes ServiceAccount, we have now delegated certificate lifecycle management to an external secret vault. External processes, like a service portal or a CI/CD pipeline, can now be created with dedicated roles and write/update policies, to provide the necessary certificate life-cycle management security. 419 | --------------------------------------------------------------------------------