Both the vault-operator and the vault-secrets-webhook can work on Istio enabled clusters quite well.

We support the following three scenarios:

Prerequisites 🔗︎

Install the Banzai Cloud Istio operator with the Backyards CLI 🔗︎

  1. First of all, you need to install the Backyards CLI on your cluster:

    Register for the free tier version of Cisco Service Mesh Manager (formerly called Banzai Cloud Backyards) and follow the Getting Started Guide for up-to-date instructions on the installation.

  2. Install the Istio operator using Backyards. You need only the Istio operator, but you can experiment with the Backyards UI/CLI and the large collection of automated Istio features provided by Backyards like observability, traffic routing, canary, circuit breakers, and so on - check out this long list of features. We provide sample commands to configure Istio using Backyards and also using kubectl.

    backyards install
? Install istio-operator (recommended). Press enter to accept Yes
? Install canary-operator (recommended). Press enter to accept No
? Install and run demo application (optional). Press enter to skip No

  3. Make sure you have mTLS enabled in the Istio mesh through the operator with the following command:

    Enable mTLS if it is not set to STRICT:

    • With kubectl:

      kubectl patch istio -n istio-system mesh --type=json -p='[{"op": "replace", "path": "/spec/meshPolicy/mtlsMode", "value":STRICT}]'

    • With backyards:

      ❯ backyards mtls require mesh
INFO[0000] switched global mTLS to STRICT successfully

    After this, we can check that mesh is configured with mTLS turned on which applies to all applications in the cluster in Istio-enabled namespaces. You can change this if you would like to use another policy.

    • With kubectl:

      $ kubectl get meshpolicy default -o yaml
apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
  name: default
  labels:
    app: security
spec:
  peers:
  - mtls: {}

    • With backyards:

      $ backyards mtls get mesh
mTLS rule for /mesh

Policy    Targets  MtlsMode  
/default  []       STRICT

Now your cluster is properly running on Istio with mTLS enabled globally.

Install the Bank-Vaults components 🔗︎

  1. You are recommended to create a separate namespace for Bank-Vaults called vault-system. You can enable Istio sidecar injection here as well, but Kubernetes won’t be able to call back the webhook properly since mTLS is enabled (and Kubernetes is outside of the Istio mesh). To overcome this, apply a PERMISSIVE Istio authentication policy to the vault-secrets-webhook Service itself, so Kubernetes can call it back without Istio mutual TLS authentication.

    kubectl create namespace vault-system
kubectl label namespace vault-system name=vault-system istio-injection=enabled

    • With kubectl:

      $ kubectl apply -f - <<EOF
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: vault-secrets-webhook
  namespace: vault-system
  labels:
    app: security
spec:
  targets:
  - name: vault-secrets-webhook
  peers:
  - mtls:
      mode: PERMISSIVE
EOF

    • With backyards:

      $ backyards mtls allow vault-system/vault-secrets-webhook
INFO[0001] policy peers for vault-system/vault-secrets-webhook set successfully

mTLS rule for vault-system/vault-secrets-webhook

Policy                                    Targets                  MtlsMode
vault-system/vault-secrets-webhook-rw6mc  [vault-secrets-webhook]  PERMISSIVE

  2. Now you can install the operator and the webhook to the prepared namespace:

    helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm upgrade --install vault-secrets-webhook banzaicloud-stable/vault-secrets-webhook --namespace vault-system
helm upgrade --install vault-operator banzaicloud-stable/vault-operator --namespace vault-system

Soon the webhook and the operator become up and running. Check that the istio-proxy got injected into all Pods in vault-system.

Proceed to the description of your scenario:

Edit this page on GitHub