-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a user guide for Istio Vault CA integration #3098
Add a user guide for Istio Vault CA integration #3098
Conversation
Deploy preview for preliminary-istio failed. Built with commit 1634eb3 https://app.netlify.com/sites/preliminary-istio/deploys/5c3f99d98a23e0000896ab19 |
/cc @myidpt |
## Install Istio with SDS enabled | ||
|
||
1. Use `git clone` to download the latest Istio source code. | ||
As the time of writing, the latest Istio code is on the release-1.1 branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Er, I'm not sure we need or want any of this GitHub gymnastic in customer documentation.
Documentation checked into the master branch of this repo will only be made available to customers when 1.1 is officially released. So I presume the customers won't need to do custom builds of anything in order to get the functionality, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. The GitHub gymnastic has been removed.
2343193
to
68908f7
Compare
68908f7
to
0ef8c23
Compare
d306888
to
96c7cd7
Compare
probably merge this PR into https://github.com/istio/istio.io/blob/master/content/docs/tasks/security/auth-sds/index.md#before-you-begin ? since the only difference will be which helm value file to applied(citadel config or vault config). |
This PR and https://github.com/istio/istio.io/blob/master/content/docs/tasks/security/auth-sds/index.md#before-you-begin both have a step to run helm template command. Other than that, they are quite different. This PR provides a user guide for plugging in Vault CA and observing the certificate signing requests routed to Vault CA; none of these content is in the tasks/security/auth-sds/index.md#before-you-begin. |
@@ -0,0 +1,148 @@ | |||
--- | |||
title: Istio Vault CA integration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
integration -> Integration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
* Create a new Kubernetes cluster to run the example in this tutorial. | ||
|
||
* On GKE, you may set the value of the `CLUSTER`, `ZONE`, and `PROJECT` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need per-platform instructions? It's not great to have an explicit callout to GKE in an otherwise generic doc page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the per-platform instructions.
|
||
## Install Istio with SDS enabled | ||
|
||
1. Use `git clone` to download the latest Istio source code. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, can we assume customers have access to the full 1.1 release bits and that they need/want our source code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revised to assume customers have access to the full 1.1 release bits. Removed downloading source code.
|
||
1. Install Istio with SDS enabled and Node Agent sending certificate signing | ||
requests to a testing Vault CA (this example uses the latest release on | ||
2019-01-15, you may also use other releases): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doc should be relative to the final 1.1 release, not a specific nightly build.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revised accordingly.
the testing Vault server, so that Envoy will not intercept the traffic from | ||
Node Agent to Vault. | ||
|
||
The yaml file `install/kubernetes/helm/istio/values-istio-example-sds-vault.yaml` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use {{< github_file >}}install/kubernetes/helm/istio/values-istio-example-sds-vault.yaml{{< /github_file >}}
which will produce a link to the file in GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
## Deploy a testing workload | ||
|
||
This section deploys a testing workload `httpbin`. When the sidecar of the | ||
testing workload requests for a certificate through SDS, Node Agent will send |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for a -> a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
testing workload requests for a certificate through SDS, Node Agent will send | ||
certificate signing requests to Vault. | ||
|
||
1. Download the Istio install package |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, we need to assume 1.1 is available and in use. Please look at how other pages handle this kind of step for an example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Revised based on the comment.
1. Generate the deployment for an example `httpbin` backend: | ||
|
||
{{< text bash >}} | ||
$ bin/istioctl kube-inject -f samples/httpbin/httpbin.yaml > httpbin-injected.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No "bin/"
Surround the input yaml path name with @@. This will result in a link to the file on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, but "surround the input yaml path name with @@" does not result in a link when previewing the page through the localhost:1313 server (perhaps because it is in {{< text bash >}} block?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The @@ syntax is specifically only supported in text blocks. Check out other pages for examples. But it should be:
$ istioctl kube-inject -f @samples/httpbin/httpbin.yaml@ > httpbin-injected.yaml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks!
$ kubectl apply -f httpbin-injected.yaml | ||
{{< /text >}} | ||
|
||
1. List the pods of Node Agent: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
List Node Agent's pods:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
$ kubectl get pod -n istio-system -l app=nodeagent -o jsonpath={.items..metadata.name} | ||
{{< /text >}} | ||
|
||
1. View the logs of each Node Agent. The Node Agent residing on |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
View each Node Agent's logs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Getting close :-)
1. Generate the deployment for an example `httpbin` backend: | ||
|
||
{{< text bash >}} | ||
$ istioctl kube-inject -f @@samples/httpbin/httpbin.yaml@@ > httpbin-injected.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, my comment was ambiguous. Just a single @ on either end is what is needed, not two.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
$ kubectl logs -n istio-system THE-POD-NAME-FROM-PREVIOUS-COMMAND | ||
{{< /text >}} | ||
|
||
1. Because in this example, Vault is not configured to accept the k8s JWT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace any uses of k8s with Kubernetes within the doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
1. Because in this example, Vault is not configured to accept the k8s JWT | ||
service account from the `httpbin` workload, you should see that Vault rejects the | ||
signing requests with the following logs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logs. -> logs:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: geeknoid, lei-tang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add a user guide for Istio Vault CA integration.
This PR is for the issues:
It depends on istio/istio#11024.