Both the vault-operator and the vault-secrets-webhook can work on Istio enabled clusters quite well.

We support the following three scenarios:

Prerequisites 🔗︎

Install the Banzai Cloud Istio operator with the Backyards CLI 🔗︎

  1. First of all, you need to install the Backyards CLI on your cluster:

    Register for the free tier version of Cisco Service Mesh Manager (formerly called Banzai Cloud Backyards) and follow the Getting Started Guide for up-to-date instructions on the installation.

  2. Install the Istio operator using Backyards. You need only the Istio operator, but you can experiment with the Backyards UI/CLI and the large collection of automated Istio features provided by Backyards like observability, traffic routing, canary, circuit breakers, and so on - check out this long list of features. We provide sample commands to configure Istio using Backyards and also using kubectl.

    backyards install
    ? Install istio-operator (recommended). Press enter to accept Yes
    ? Install canary-operator (recommended). Press enter to accept No
    ? Install and run demo application (optional). Press enter to skip No
    
  3. Make sure you have mTLS enabled in the Istio mesh through the operator with the following command:

    Enable mTLS if it is not set to STRICT:

    • With kubectl:

      kubectl patch istio -n istio-system mesh --type=json -p='[{"op": "replace", "path": "/spec/meshPolicy/mtlsMode", "value":STRICT}]'
      
    • With backyards:

      ❯ backyards mtls require mesh
      INFO[0000] switched global mTLS to STRICT successfully
      

    After this, we can check that mesh is configured with mTLS turned on which applies to all applications in the cluster in Istio-enabled namespaces. You can change this if you would like to use another policy.

    • With kubectl:

      $ kubectl get meshpolicy default -o yaml
      apiVersion: authentication.istio.io/v1alpha1
      kind: MeshPolicy
      metadata:
        name: default
        labels:
          app: security
      spec:
        peers:
        - mtls: {}
      
    • With backyards:

      $ backyards mtls get mesh
      mTLS rule for /mesh
      
      Policy    Targets  MtlsMode  
      /default  []       STRICT
      

Now your cluster is properly running on Istio with mTLS enabled globally.

Install the Bank-Vaults components 🔗︎

  1. You are recommended to create a separate namespace for Bank-Vaults called vault-system. You can enable Istio sidecar injection here as well, but Kubernetes won’t be able to call back the webhook properly since mTLS is enabled (and Kubernetes is outside of the Istio mesh). To overcome this, apply a PERMISSIVE Istio authentication policy to the vault-secrets-webhook Service itself, so Kubernetes can call it back without Istio mutual TLS authentication.

    kubectl create namespace vault-system
    kubectl label namespace vault-system name=vault-system istio-injection=enabled
    
    • With kubectl:

      $ kubectl apply -f - <<EOF
      apiVersion: authentication.istio.io/v1alpha1
      kind: Policy
      metadata:
        name: vault-secrets-webhook
        namespace: vault-system
        labels:
          app: security
      spec:
        targets:
        - name: vault-secrets-webhook
        peers:
        - mtls:
            mode: PERMISSIVE
      EOF
      
    • With backyards:

      $ backyards mtls allow vault-system/vault-secrets-webhook
      INFO[0001] policy peers for vault-system/vault-secrets-webhook set successfully
      
      mTLS rule for vault-system/vault-secrets-webhook
      
      Policy                                    Targets                  MtlsMode
      vault-system/vault-secrets-webhook-rw6mc  [vault-secrets-webhook]  PERMISSIVE
      
  2. Now you can install the operator and the webhook to the prepared namespace:

    helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
    helm upgrade --install vault-secrets-webhook banzaicloud-stable/vault-secrets-webhook --namespace vault-system
    helm upgrade --install vault-operator banzaicloud-stable/vault-operator --namespace vault-system
    

Soon the webhook and the operator become up and running. Check that the istio-proxy got injected into all Pods in vault-system.

Proceed to the description of your scenario: