GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → dunjut → cert-sync

dunjut / cert-sync

Licence: Apache-2.0 license
Dynamic provision for istio ingressgateway certificates.

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects

Labels

tlsistioistio-ingress

Projects that are alternatives of or similar to cert-sync

istio-csr
istio-csr is an agent that allows for Istio workload and control plane components to be secured using cert-manager.
Stars: ✭ 81 (+268.18%)
Mutual labels:  tls, istio
vamp2setup
Vamp Lamia Alpha Setup Guide
Stars: ✭ 33 (+50%)
Mutual labels:  istio, istio-ingress
jupyterhub-istio-proxy
JupyterHub proxy implementation for kubernetes clusters running istio service mesh
Stars: ✭ 26 (+18.18%)
Mutual labels:  istio
newrelic-istio-adapter
An Istio Mixer adapter to send telemetry data to New Relic.
Stars: ✭ 15 (-31.82%)
Mutual labels:  istio
shopping-cart-k8s
Service Mesh patterns for Microservices
Stars: ✭ 57 (+159.09%)
Mutual labels:  istio
netxduo
Azure RTOS NetX Duo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications
Stars: ✭ 151 (+586.36%)
Mutual labels:  tls
meta-protocol-proxy
A data plane framework that supports any layer-7 protocols.
Stars: ✭ 56 (+154.55%)
Mutual labels:  istio
cf-k8s-networking
building a cloud foundry without gorouter....
Stars: ✭ 33 (+50%)
Mutual labels:  istio
CycleTLS
Spoof TLS/JA3 fingerprints in GO and Javascript
Stars: ✭ 362 (+1545.45%)
Mutual labels:  tls
utls
Fork of the Go standard library with unsafe extensions, for expert clients with unusual needs.
Stars: ✭ 19 (-13.64%)
Mutual labels:  tls
crlite
WebPKI-level Certificate Revocation via Multi-Level Bloom Filter Cascade
Stars: ✭ 52 (+136.36%)
Mutual labels:  tls
multicloud
A multicloud demonstration presented at KubeCon 2019 EU featuring the Hipster Shop across AKS, GKE, and On-Premises
Stars: ✭ 13 (-40.91%)
Mutual labels:  istio
MQTTnet
MQTTnet is a high performance .NET library for MQTT based communication. It provides a MQTT client and a MQTT server (broker). The implementation is based on the documentation from http://mqtt.org/.
Stars: ✭ 3,309 (+14940.91%)
Mutual labels:  tls
SSL-TLS-ECDSA-timing-attack
Timing Attack on TLS' ECDSA signature
Stars: ✭ 41 (+86.36%)
Mutual labels:  tls
jpetstore-kubernetes
Modernize and Extend: JPetStore on IBM Cloud Kubernetes Service
Stars: ✭ 21 (-4.55%)
Mutual labels:  istio
Artalk.Xmpp
This repository contains an easy-to-use and well-documented .NET (Framework and Core 3.1, .Net 5 and .Net 6) assembly for communicating with an XMPP server. It supports basic Instant Messaging and Presence funtionality as well as a variety of XMPP extensions.
Stars: ✭ 42 (+90.91%)
Mutual labels:  tls
safeminer
全网第一款本地连接矿池加密软件,隐藏本地ip、加密数据包、流量混淆,可实现防止被监管的目的
Stars: ✭ 8 (-63.64%)
Mutual labels:  tls
sslcli
Pretty awesome command-line client for public SSLLabs API
Stars: ✭ 17 (-22.73%)
Mutual labels:  tls
mos-tls-tunnel
Archived. Check this out https://github.com/IrineSistiana/simple-tls
Stars: ✭ 21 (-4.55%)
Mutual labels:  tls
tlssocks
secure socks5 over tls / tcp
Stars: ✭ 24 (+9.09%)
Mutual labels:  tls
View All Similar Projects ➔

cert-sync

cert-sync is a Istio add-on to automate the synchronization between Kubernetes TLS secrets and istio-ingressgateway certificates, without having to re-deploy the istio-ingressgateway pods.

For any user-specified Kubernetes TLS secret, it will ensure there's a pair of corresponding public certificate (.crt) and private key (.key) exist in a shared volume path, which will later be loaded by istio-ingressgateway. If users update/delete those secrets, their corresponding keys and certs will be updated/deleted, too.

cert-sync high level overview diagram

Deployment

As already menthioned above, the idea of how cert-sync collaborates with istio-ingressgateway is that they share a volume path (directory), where certificates and private keys in TLS secrets will be placed into.

Generally, users may choose one of the following methods to deploy cert-sync.

Sidecar

The sidecar way is straightforward. We simply add a cert-sync container into istio-ingressgateway's pod spec, and mount a shared volume to both of them. For example,

...
  ...
    ...
      containers:
        - name: ingressgateway
          image: "gcr.io/istio/proxyv2:1.0.0"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
            - containerPort: 443
            - containerPort: 31400
          args:
          - proxy
          - router
          - -v
          - "2"
          - --discoveryRefreshDelay
          - '1s' #discoveryRefreshDelay
          - --drainDuration
          - '45s' #drainDuration
          - --parentShutdownDuration
          - '1m0s' #parentShutdownDuration
          - --connectTimeout
          - '10s' #connectTimeout
          - --serviceCluster
          - istio-ingressgateway
          - --zipkinAddress
          - zipkin:9411
          - --statsdUdpAddress
          - istio-statsd-prom-bridge:9125
          - --proxyAdminPort
          - "15000"
          - --controlPlaneAuthPolicy
          - NONE
          - --discoveryAddress
          - istio-pilot.istio-system:8080
          env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
          - name: INSTANCE_IP
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.podIP
          - name: ISTIO_META_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          volumeMounts:
          - name: certdir
            mountPath: "/etc/istio/ingressgateway-certs"
        - name: cert-sync
          image: "dunjut/cert-sync:0.1.0"
          imagePullPolicy: IfNotPresent
          args:
          - --certDir
          - /etc/istio/ingressgateway-certs
          volumeMounts:
          - name: certdir
            mountPath: "/etc/istio/ingressgateway-certs"
      volumes:
      - name: certdir
        emptyDir: {}
      ...

Note a shared volume is a requirement, but its type doesn't have to be emptyDir. Users may choose other volume types like hostPath and cephfs as long as these are preferred under their Kubernetes environments.

To get cert-sync working correctly, users also have to add secrets accessibility to the istio-ingressgateway-istio-system ClusterRole. Here is what will be look like:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    app: gateways
    chart: gateways-1.0.0
    heritage: Tiller
    release: istio
  name: istio-ingressgateway-istio-system
rules:
- apiGroups: ["extensions"]
  resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"]
  verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

Now the final step is to re-apply the modified istio-ingressgateway configurations.

DaemonSet

Some users may run Kubernetes in bare-metal environments and do not have LoadBalancer service supported. Under this circumstance, cluster operators may deploy istio- ingressgateway in edge nodes using DaemonSet, with hostNetwork and a node selector.

To make sure each istio-ingressgateway instance has a cert-sync co-located in the same machine, DaemonSet and same node selector should be used. The shared volume may be hostPath or other types as long as it suits your environment. As cert-sync is deployed separated from istio-ingressgateway, serviceaccount with appropriate permissions must be created.

The example installation yaml file can be found here.

How to use

Upload TLS secrets

Users should store their TLS certificates and private keys in Kubernetes Secrets. These secrets must be kubernetes.io/tls type and have the following annotation exists.

certsync.istio.io/autosync: "true"

(or, some users may want to use a pair of custom annotation key and value, one of such use cases is to work with cert-manager generated secrets. In such scenario, the commandline flags --annotationKey and --annotationValue could let you achieve this.)

This annotation tells cert-sync to watch its updates and synchronize it. Here is an example:

apiVersion: v1
kind: Secret
metadata:
  annotations:
    certsync.istio.io/autosync: "true"
  name: example-com
  namespace: foo
type: kubernetes.io/tls
data:
  tls.crt: <Base64EncodedCertificateData>
  tls.key: <Base64EncodedPrivateKeyData>

Use TLS secrets in Istio Gateway

cert-sync will place your TLS data files in this kind of file path:

<certdir>/<namespace>/<name>.key
<certdir>/<namespace>/<name>.crt

For example, we've specified /etc/istio/ingressgateway-certs as our certificate direcotry, and we've also created a secret example-com in namespace foo. So the TLS data files would be:

/etc/istio/ingressgateway-certs/foo/example-com.key
/etc/istio/ingressgateway-certs/foo/example-com.crt

Then use them in Istio Gateway.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: example-com-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/foo/example-com.key
      privateKey: /etc/istio/ingressgateway-certs/foo/example-com.crt
    hosts:
    - "example.com"
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].