Add a user guide for Istio Vault CA integration #3098
Conversation
|
Deploy preview for preliminary-istio failed. Built with commit 1634eb3 https://app.netlify.com/sites/preliminary-istio/deploys/5c3f99d98a23e0000896ab19 |
|
/cc @myidpt |
| ## Install Istio with SDS enabled | ||
|
|
||
| 1. Use `git clone` to download the latest Istio source code. | ||
| As the time of writing, the latest Istio code is on the release-1.1 branch |
There was a problem hiding this comment.
Er, I'm not sure we need or want any of this GitHub gymnastic in customer documentation.
Documentation checked into the master branch of this repo will only be made available to customers when 1.1 is officially released. So I presume the customers won't need to do custom builds of anything in order to get the functionality, correct?
There was a problem hiding this comment.
Correct. The GitHub gymnastic has been removed.
lei-tang
force-pushed
the
user_guide_vault_integration
branch
3 times, most recently
from
2343193
to
68908f7
Compare
lei-tang
force-pushed
the
user_guide_vault_integration
branch
from
68908f7
to
0ef8c23
Compare
lei-tang
force-pushed
the
user_guide_vault_integration
branch
from
d306888
to
96c7cd7
Compare
|
probably merge this PR into https://github.com/istio/istio.io/blob/master/content/docs/tasks/security/auth-sds/index.md#before-you-begin ? since the only difference will be which helm value file to applied(citadel config or vault config). |
|
This PR and https://github.com/istio/istio.io/blob/master/content/docs/tasks/security/auth-sds/index.md#before-you-begin both have a step to run helm template command. Other than that, they are quite different. This PR provides a user guide for plugging in Vault CA and observing the certificate signing requests routed to Vault CA; none of these content is in the tasks/security/auth-sds/index.md#before-you-begin. |
| @@ -0,0 +1,148 @@ | |||
| --- | |||
| title: Istio Vault CA integration | |||
There was a problem hiding this comment.
integration -> Integration
|
|
||
| * Create a new Kubernetes cluster to run the example in this tutorial. | ||
|
|
||
| * On GKE, you may set the value of the `CLUSTER`, `ZONE`, and `PROJECT` |
There was a problem hiding this comment.
Do we need per-platform instructions? It's not great to have an explicit callout to GKE in an otherwise generic doc page.
There was a problem hiding this comment.
Removed the per-platform instructions.
|
|
||
| ## Install Istio with SDS enabled | ||
|
|
||
| 1. Use `git clone` to download the latest Istio source code. |
There was a problem hiding this comment.
Again, can we assume customers have access to the full 1.1 release bits and that they need/want our source code?
There was a problem hiding this comment.
Revised to assume customers have access to the full 1.1 release bits. Removed downloading source code.
|
|
||
| 1. Install Istio with SDS enabled and Node Agent sending certificate signing | ||
| requests to a testing Vault CA (this example uses the latest release on | ||
| 2019-01-15, you may also use other releases): |
There was a problem hiding this comment.
This doc should be relative to the final 1.1 release, not a specific nightly build.
There was a problem hiding this comment.
Revised accordingly.
| the testing Vault server, so that Envoy will not intercept the traffic from | ||
| Node Agent to Vault. | ||
|
|
||
| The yaml file `install/kubernetes/helm/istio/values-istio-example-sds-vault.yaml` |
There was a problem hiding this comment.
Use {{< github_file >}}install/kubernetes/helm/istio/values-istio-example-sds-vault.yaml{{< /github_file >}} which will produce a link to the file in GitHub.
| ## Deploy a testing workload | ||
|
|
||
| This section deploys a testing workload `httpbin`. When the sidecar of the | ||
| testing workload requests for a certificate through SDS, Node Agent will send |
| testing workload requests for a certificate through SDS, Node Agent will send | ||
| certificate signing requests to Vault. | ||
|
|
||
| 1. Download the Istio install package |
There was a problem hiding this comment.
Again, we need to assume 1.1 is available and in use. Please look at how other pages handle this kind of step for an example.
There was a problem hiding this comment.
Revised based on the comment.
| 1. Generate the deployment for an example `httpbin` backend: | ||
|
|
||
| {{< text bash >}} | ||
| $ bin/istioctl kube-inject -f samples/httpbin/httpbin.yaml > httpbin-injected.yaml |
There was a problem hiding this comment.
No "bin/"
Surround the input yaml path name with @@. This will result in a link to the file on GitHub.
There was a problem hiding this comment.
Done, but "surround the input yaml path name with @@" does not result in a link when previewing the page through the localhost:1313 server (perhaps because it is in {{< text bash >}} block?)
There was a problem hiding this comment.
The @@ syntax is specifically only supported in text blocks. Check out other pages for examples. But it should be:
$ istioctl kube-inject -f @samples/httpbin/httpbin.yaml@ > httpbin-injected.yaml
| $ kubectl apply -f httpbin-injected.yaml | ||
| {{< /text >}} | ||
|
|
||
| 1. List the pods of Node Agent: |
| $ kubectl get pod -n istio-system -l app=nodeagent -o jsonpath={.items..metadata.name} | ||
| {{< /text >}} | ||
|
|
||
| 1. View the logs of each Node Agent. The Node Agent residing on |
There was a problem hiding this comment.
View each Node Agent's logs.
| 1. Generate the deployment for an example `httpbin` backend: | ||
|
|
||
| {{< text bash >}} | ||
| $ istioctl kube-inject -f @@samples/httpbin/httpbin.yaml@@ > httpbin-injected.yaml |
There was a problem hiding this comment.
Sorry, my comment was ambiguous. Just a single @ on either end is what is needed, not two.
| $ kubectl logs -n istio-system THE-POD-NAME-FROM-PREVIOUS-COMMAND | ||
| {{< /text >}} | ||
|
|
||
| 1. Because in this example, Vault is not configured to accept the k8s JWT |
There was a problem hiding this comment.
Replace any uses of k8s with Kubernetes within the doc.
|
|
||
| 1. Because in this example, Vault is not configured to accept the k8s JWT | ||
| service account from the `httpbin` workload, you should see that Vault rejects the | ||
| signing requests with the following logs. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: geeknoid, lei-tang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add a user guide for Istio Vault CA integration.
This PR is for the issues:
It depends on istio/istio#11024.