Both the vault-operator
and the vault-secrets-webhook
can work on Istio enabled clusters quite well.
We support the following three scenarios:
- Scenario 1: Vault runs outside an Istio mesh, whereas the namespace where the application runs and the webhook injects secrets has Istio sidecar injection enabled
- Scenario 2: The namespace where Vault is running has Istio sidecar injection enabled
- Scenario 3: Both namespaces have Istio sidecar injection enabled
Prerequisites 🔗︎
Install the Banzai Cloud Istio operator with the Backyards CLI 🔗︎
-
First of all, you need to install the Backyards CLI on your cluster:
Register for the free tier version of Cisco Service Mesh Manager (formerly called Banzai Cloud Backyards) and follow the Getting Started Guide for up-to-date instructions on the installation.
-
Install the Istio operator using Backyards. You need only the Istio operator, but you can experiment with the Backyards UI/CLI and the large collection of automated Istio features provided by Backyards like observability, traffic routing, canary, circuit breakers, and so on - check out this long list of features. We provide sample commands to configure Istio using Backyards and also using kubectl.
backyards install ? Install istio-operator (recommended). Press enter to accept Yes ? Install canary-operator (recommended). Press enter to accept No ? Install and run demo application (optional). Press enter to skip No
-
Make sure you have mTLS enabled in the Istio mesh through the operator with the following command:
Enable mTLS if it is not set to
STRICT
:-
With
kubectl
:kubectl patch istio -n istio-system mesh --type=json -p='[{"op": "replace", "path": "/spec/meshPolicy/mtlsMode", "value":STRICT}]'
-
With
backyards
:❯ backyards mtls require mesh INFO[0000] switched global mTLS to STRICT successfully
After this, we can check that mesh is configured with
mTLS
turned on which applies to all applications in the cluster in Istio-enabled namespaces. You can change this if you would like to use another policy.-
With
kubectl
:$ kubectl get meshpolicy default -o yaml apiVersion: authentication.istio.io/v1alpha1 kind: MeshPolicy metadata: name: default labels: app: security spec: peers: - mtls: {}
-
With
backyards
:$ backyards mtls get mesh mTLS rule for /mesh Policy Targets MtlsMode /default [] STRICT
-
Now your cluster is properly running on Istio with mTLS enabled globally.
Install the Bank-Vaults components 🔗︎
-
You are recommended to create a separate namespace for Bank-Vaults called
vault-system
. You can enable Istio sidecar injection here as well, but Kubernetes won’t be able to call back the webhook properly since mTLS is enabled (and Kubernetes is outside of the Istio mesh). To overcome this, apply aPERMISSIVE
Istio authentication policy to thevault-secrets-webhook
Service itself, so Kubernetes can call it back without Istio mutual TLS authentication.kubectl create namespace vault-system kubectl label namespace vault-system name=vault-system istio-injection=enabled
-
With
kubectl
:$ kubectl apply -f - <<EOF apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: vault-secrets-webhook namespace: vault-system labels: app: security spec: targets: - name: vault-secrets-webhook peers: - mtls: mode: PERMISSIVE EOF
-
With
backyards
:$ backyards mtls allow vault-system/vault-secrets-webhook INFO[0001] policy peers for vault-system/vault-secrets-webhook set successfully mTLS rule for vault-system/vault-secrets-webhook Policy Targets MtlsMode vault-system/vault-secrets-webhook-rw6mc [vault-secrets-webhook] PERMISSIVE
-
-
Now you can install the operator and the webhook to the prepared namespace:
helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com helm upgrade --install vault-secrets-webhook banzaicloud-stable/vault-secrets-webhook --namespace vault-system helm upgrade --install vault-operator banzaicloud-stable/vault-operator --namespace vault-system
Soon the webhook and the operator become up and running. Check that the istio-proxy
got injected into all Pods in vault-system
.
Proceed to the description of your scenario:
- Scenario 1: Vault runs outside an Istio mesh, whereas the namespace where the application runs and the webhook injects secrets has Istio sidecar injection enabled
- Scenario 2: The namespace where Vault is running has Istio sidecar injection enabled
- Scenario 3: Both namespaces have Istio sidecar injection enabled