Skip to content

Installing Istio CSR using the Venafi Control Plane Operator

Follow the steps below to deploy the default version of cert-manager and Istio CSR using the Venafi Control Plane Operator.

Prerequisites

To install Istio CSR using the Venafi Control Plane Operator, you'll need the following:

  • Access to the Venafi OCI registry (or your own mirror).
  • The Venafi Control Plane Operator already installed on your system.
  • The Red Hat OpenShift CLI tool oc installed on your system.

Step 1: Configure access to the Venafi OCI registry

Important

Follow the instructions in Configuring access to the Venafi OCI registry to enable access to the artifacts required for this component (cert-manager Components is the default scope for cert-manager). Use venafi as the namespace.

For the example below, it's assumed that you created the following Kubernetes Secret:

  • namespace: venafi
  • name: venafi-image-pull-secret

Step 2: Install Istio

  1. If you have not done so already, download the istioctl command-line tool.

  2. Copy and save the following sample manifest as istio-install-config.yaml. This manifest creates an istio-system namespace and configures the install.

    You may wish to inspect and tweak istio-install-config.yaml if you know what you're doing, but this manifest should work for example purposes as-is.:

    istio-install-config.yaml
    apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  profile: "sample"
  hub: gcr.io/istio-release
  meshConfig:
    # Change the following line to configure the trust domain of the Istio cluster.
    trustDomain: cluster.local
  values:
    global:
      # Change certificate provider to cert-manager istio agent for istio agent
      caAddress: cert-manager-istio-csr.cert-manager.svc:443
  components:
    pilot:
      k8s:
        env:
          # Disable istiod CA Sever functionality
        - name: ENABLE_CA_SERVER
          value: "false"

  3. Use the istioctl install command to install Istio and apply the manifest:

    istioctl install --set profile=openshift -f istio-install-config.yaml

Step 3: Create and apply the Istio CSR manifest

  1. Create a manifest venafi-components.yaml. You can use one of the samples below as a base:

    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals: 
    enableDefaultApprover: false 
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false 
    vcpRegion: US 
    region: US 
  certManager: 
    install: true
  certManagerIstioCSR:
    install: true
    trustDomain: example.com # (1)!
    runtimeConfigMapName: configmap-in-install-namespace # (2)!
    version: v0.12.0
    1. Provide the name of the trust domain here. This is a required field when installing Istio CSR.
    2. Add the name of the ConfigMap in the namespace where you installed the Operator.
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals:
    enableDefaultApprover: false 
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false 
    vcpRegion: EU 
    region: EU 
  certManager: 
    install: true
  certManagerIstioCSR:
    install: true
    trustDomain: example.com # (1)!
    runtimeConfigMapName: configmap-in-install-namespace # (2)!
    version: v0.12.0
    1. Provide the name of the trust domain here. This is a required field when installing Istio CSR.
    2. Add the name of the ConfigMap in the namespace where you installed the Operator.
    venafi-components.yaml
    apiVersion: installer.venafi.com/v1alpha1
kind: VenafiInstall
metadata:
  name: venafi-components
spec:
  globals: 
    customChartRepository: oci://myregistry.example.com/charts
    customImageRegistry: myregistry.example.com
    enableDefaultApprover: false 
    imagePullSecretNames: [venafi-image-pull-secret] 
    namespace: venafi 
    useFIPSImages: false 
  certManager: 
    install: true
  certManagerIstioCSR:
    install: true
    trustDomain: example.com # (1)!
    runtimeConfigMapName: configmap-in-install-namespace # (2)!
    version: v0.12.0
    1. Provide the name of the trust domain here. This is a required field when installing Istio CSR.
    2. Add the name of the ConfigMap in the namespace where you installed the Operator.

    Notes

    Set the spec.certManager.skip parameter to true and the spec.certManager.install parameter to false if you have already installed and configured cert-manager.

    Use the trustDomain field to specify the Istio CSR trust domain. This is a required field when installing Istio CSR.

    Tip

    For a complete list of Venafi Control Plane Operator configuration parameters, refer to the Venafi Control Plane Operator API reference.

  2. Apply the manifest by running the following command:

    oc apply -f venafi-components.yaml

Step 4: Verify the installation

  1. Verify whether Istio CSR is successfully installed by running the following command:

    oc get venafiinstall,pods

    Sample output:

    NAME                                                   STATUS   LAST SYNC
venafiinstall.installer.venafi.com/venafi-components   Synced   2m14s

NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-586bf54fc-j72bq               1/1     Running   0          5m37s
pod/cert-manager-cainjector-555597db44-vdvrs   1/1     Running   0          5m37s
pod/cert-manager-istio-csr-76dddc799c-qnjw9    1/1     Running   0          2m36s
pod/cert-manager-webhook-6c86fd9696-5wdkp      1/1     Running   0          5m37s
pod/vcp-operator-86c7d996d6-85km5              1/1     Running   0          8m40s