With Istio Ambient releasing in beta as part of Istio 1.22, there are now two data plane modes available depending on how you want to route traffic and enforce policies in your service mesh.
The new Ambient data plane mode focuses on replacing sidecar proxy containers that previously handled service-to-service communications, enforced mTLS and policies and gathered telemetry data. Instead, per-node proxies route L4 traffic between worker nodes and Waypoint proxies enable L7 capabilities within the mesh to reduce the amount of resource consumption of the data plane and to make operations simpler.
To learn more about Istio Ambient, see our webinar here where we introduce and demonstrate the new data plane mode, and read this accompanying blog.
One significant part of Istio Service Mesh is the identity through which trust can be established. istio-csr extends Istio’s capabilities for issuing certificates for workload identities by replacing the built-in Istio CA (Citadel), instead using cert-manager to automate obtaining and renewing certificates from various public and private issuers.
This facilitates the ability to enforce mTLS for both intra and inter-cluster communications.
With support added for Istio Ambient to istio-csr from Paul Jones in the 0.12.0 release, istio-csr can now manage certificate requests for workload identities in both sidecar and Ambient data plane modes in Istio. Plus, using the latest Venafi CLI tool you can easily and reproducibly install istio-csr and all its dependencies in an enterprise configuration with no extra effort.
Due to the changes in the data plane of Istio Ambient, certificate requests for workload identities are made by the ztunnel component that is colocated on each node.
Therefore, istio-csr now accepts a list of trusted node accounts using --ca-trusted-node-accounts
which represent the caller of certificate requests. This allows istio-csr to authenticate the caller as being the trusted node account, which in the Istio Ambient use case is the ztunnel service account. Once validated, istio-csr then creates the certificate request through cert-manager in the same way as when using Istio with sidecars.
For more on the certificate process within Istio Ambient, see the documentation here.
To use istio-csr with Istio Ambient, simply set the app.service.caTrustedNodeAccounts
value:
helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
--install \
--namespace cert-manager \
--wait \
... \
--set app.server.caTrustedNodeAccounts="istio-system/ztunnel"
For more on how to set up istio-csr with Istio Ambient, see the docs here.
Look out for an upcoming webinar from Venafi where we will be diving deeping into istio-csr and Istio Ambient, and showing it in action with Venafi Firefly.
See how easy it is to deliver trusted certificates at warp speed
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.