Istio CSR releases¶

Istio CSR integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

Learn about current and past releases of Istio CSR.

Latest release¶

The latest stable release of Istio CSR is v0.12.0.

Downloads¶

Release 0.12.0¶

​ Istio CSR v0.12.0 was released on September 4, 2024.

Key features¶

• Istio Ambient Mode Support Istio Ambient Mode lets you use Istio without requiring sidecar containers to run in your pods. This is powerful but functions slightly differently, and Istio CSR previously didn't support this mode of operation.

  Istio Ambient Mode is enabled by setting the app.server.caTrustedNodeAccounts Helm value to a comma-separated list of namespace/service-accounts values indicating which service accounts are permitted to use node authentication, such as istio-system/ztunnel.

• Runtime Configuration Improvements Runtime configuration allows Istio CSR to be installed at the same time as cert-manager itself, which can simplify the cluster set-up process. It also enables issuers to be changed on the fly, which makes the rotation of CA certificates simpler and reduces the risk of downtime.

  Istio CSR would always report as unhealthy until runtime configuration was available. Without a configured issuer, Istio CSR can't issue workload certificates or provision the Istio serving certificate (also known as the istiod certificate). This causes the Helm install of Istio CSR to hang until the runtime configuration ConfigMap is provided, forcing the need to handle runtime configuration then and there.

  To simplify this process simpler, the following Helm chart changes were made:

  • extraObjects Helm chart field It's now possible to pass extraObjects as a Helm value specifying arbitrary resources to create alongside the Istio CSR install. This enables the creation of an issuer during the Helm install, if desired.
  • Runtime ConfigMaps There's a new app.runtimeConfiguration.create value which, if set, creates a runtime configuration ConfigMap with the values specified in app.runtimeConfiguration.issuer.
  • Heath checks How health checks work for Istio CSR with runtime configuration has changed. If using pure runtime configuration (app.certmanager.issuer is blank), the Istio CSR health checks will report healthy until runtime configuration is available for the first time. After the runtime configuration is first detected, the health checks will return to normal.
  • Other fixes Annotations are now propagated onto the dynamic istiod certificate which is used with runtime configuration, and some roles have been fixed to ensure that installing into different namespaces works as expected.

Release 0.11.0¶

​ Istio CSR v0.11.0 was released on August 1, 2024.

Key features¶

• Pure Runtime Configuration

  Istio CSR v0.10.0 added initial support for runtime configuration, allowing the issuer to be changed easily after Istio CSR starts. That release still, in practice, needed an issuer to be configured before Istio CSR was installed, in order to provision the istiod cert and for the initial configuration of Istio serving certs.

  v0.11.0 adds "pure" runtime configuration, allowing Istio CSR and cert-manager to be installed entirely concurrently. To achieve this, Istio CSR gains the ability to dynamically provision an istiod certificate, and now waits for issuer configuration before any attempts to issue serving certs.

  An example of runtime-configured Istio CSR would use the following values.yaml:

  app:
  runtimeIssuanceConfigMap: runtime-config-map
  certmanager:
      issuer:
      # You can explicitly leave these values blank, since they're defaulted.
      name: ""
      kind: ""
      group: ""
  tls:
      istiodCertificateEnable: "dynamic" # new in v0.11.0!
  

  Istio CSR pods won't report as "ready" until an issuer is configured, so a Helm install won't complete until you've created a ConfigMap specifying an issuer:

  kubectl create configmap runtime-config-map -n cert-manager \
      --from-literal=issuer-name=istio-ca \
      --from-literal=issuer-kind=Issuer \
      --from-literal=issuer-group=cert-manager.io
  

• Client certificate authentication

  Previously, workloads attempting to renew their serving certs with Istio CSR were required to present their Kubernetes JWT for validation. Istio (when used without Istio CSR) allows for several auth methods, including client cert auth, where the already-provisioned mTLS certificate can be used as auth.

  Now, Istio CSR has gained support for client cert auth, using the trusted CA bundle already supported in Istio CSR. The functionality is behind a flag, and can be enabled with a Helm value:

  --set app.server.authenticators.enableClientCert=true
  

• JSON logging

  Thanks to the new logFormat Helm value, JSON logging can be enabled for Istio CSR:

  --set app.logFormat=json.
  

  JSON logs are now used by default in several Istio CSR tests, and are very useful for parseable structured logs. Bear the following caveats in mind, however:

  1. There's no guarantee that all output will be in JSON format. In testing, logging seemed to be consistently in JSON but it's possible that there could be some text output.
  1. Log formats are not currently consistent - different log lines may have different keys.
  

• Helm updates

  topologySpreadConstraints, and other updates related to istiod cert were added to this release.

• Kubernetes client side rate limiting

  Kubernetes client side rate limiting was disabled in this release.

Release 0.10.0¶

​ Istio CSR v0.10.0 was released on July 17, 2024.

Key features¶

• Initial runtime configuration support

  Istio CSR requires cert-manager to be installed to be able to issue certificates; using cert-manager to issue Istio certificates is the reason why you use Istio CSR.

  More subtly, Istio CSR actually requires a cert-manager issuer to be created before Istio CSR is installed. This issuer is used to issue the istiod certificate, the Istio serving certificate, and workload certificates.

  This dependency means that it's not possible to install Istio CSR and cert-manager at the same time, which can be a problem for some users and some installation methods. Runtime configuration aims to solve that problem, by allowing the issuer to be defined at runtime through a ConfigMap resource in the same namespace as the Istio CSR pods.

  Since the issuer is defined at pod startup time (via the Helm chart) it's not possible to swap out an issuer on the fly while Istio CSR pods are running. Runtime configuration changes this:

  kubectl create configmap -n venafi istio-issuer \
    --from-literal=issuer-name=my-issuer-name \
    --from-literal=issuer-kind=ClusterIssuer \
    --from-literal=issuer-group=cert-manager.io
  

  values.yaml

  app:
    runtimeIssuanceConfigMap: istio-issuer
    certmanager:
      issuer:
        name: ""
        kind: ""
        group: ""
    tls:
      rootCAFile: "/var/run/secrets/istio-csr/ca.pem"
      istiodCertificateEnable: false
  volumeMounts:
  - name: root-ca
    mountPath: /var/run/secrets/istio-csr
  volumes:
  - name: root-ca
    secret:
      secretName: istio-root-ca
  

  helm upgrade cert-manager-istio-csr oci://registry.venafi.cloud/charts/cert-manager-istio-csr:v0.10.0 \
    --install \
    --namespace venafi \
    --wait \
    --values values.yaml  
  

  This initial support requires that the istiod certificate is disabled. This means you must provision that certificate manually, ahead of installing Istio CSR.

  Alternatively, istiodCertificateEnable can be left as true and app.certmanager.issuer can be provided. This still requires cert-manager to be installed and configured before Istio CSR, but enables you to change certificates on the fly.

  A future release of Istio CSR will include the ability to provision the istiod certificate dynamically, allowing for true runtime configuration.

• s390x support

  Istio CSR now supports the s390x architecture.

• nameOverride Helm value added

  The nameOverride Helm value added was added to values.yaml to improve jsonSchema validation.

• Dependency updates

  github.com/lestrrat-go/jwx has been updated to v.1.2.29. This fixes CVE-2024-28122

Release 0.9.0¶

​ Istio CSR v0.9.0 was released on May 13, 2024.

Key features¶

• Release v0.9.0 upgrades the Go version used to build to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788). All Go-related dependencies were also upgraded in this release.
• This release also adds json-schema validation to the Helm chart and fixes for minor bugs and test for Istio 1.20.

Release v0.8.1¶

​ Istio CSR v0.8.1 was released on February 6, 2024.

Key features¶

• Release 0.8.1 adds the ability to provide additional DNS names to a istiod certificate.
• This release also sees updates to component libraries and minor bug fixes.