UNCLASSIFIED - NO CUI

Skip to content

Auto set Istio jwksResolverExtraRootCA if sso.certificateAuthority specified

General MR

Summary

As recently added in Istio 1.17.1-bb.1 (see big-bang/product/packages/istio-controlplane!146 (merged)), we can set istio.values.values.pilot.jwksResolverExtraRootCA to allow the IstioOperator resource (and thereby the istiod deployment) to specify a certificate authority for the JWKS resolver. This is required for istiod to successfully verify JWTs as part of enforcing AuthorizationPolicies.

This MR automatically sets istio.values.values.pilot.jwksResolverExtraRootCA if sso.certificateAuthority is set. The implementation does not override any other values and can be overlayed by the customer if needed.

Relevant logs/screenshots

Tested on a k3d cluster in AWS Commercial. Let me know if more logs are needed. In this example, the certificate was set to "test" with no newline. All other Istio settings are default.

# Source: bigbang/templates/istio/controlplane/values.yaml
apiVersion: v1
kind: Secret
metadata:
  name: bigbang-istio-values
  namespace: default
type: generic
stringData:
  common: |
  defaults:
    "# hostname is deprecated and replaced with domain. But if hostname exists then use
      it.\ndomain: bigbang.dev\n\nenterprise: false\n\nistiod:\n  env: \n    - name: ENABLE_LEGACY_FSGROUP_INJECTION\n
      \     value: \"false\"\n# Change default hpaSpec to ensure generated HPA uses autoscaling/v2\n
      \ hpaSpec:\n    metrics:\n      - type: Resource\n        resource:\n          name:
      cpu\n          target:\n            type: Utilization\n            averageUtilization:
      60\n\nimagePullSecrets:\n  - private-registry\n\nopenshift: false\n\nauthservice:\n
      \ enabled: false\n\nmonitoring:\n  enabled: false\n\nkiali:\n  enabled: false\n\nnetworkPolicies:\n
      \ enabled: true\n  controlPlaneCidr: 0.0.0.0/0\n\nimagePullPolicy: IfNotPresent\nvalues:\n
      \ pilot:\n    jwksResolverExtraRootCA: \"test\"\ningressGateways:\n  istio-ingressgateway:\n
      \   enabled: false\n  \n  public-ingressgateway:\n    k8s:\n      service:\n        type:
      LoadBalancer\ngateways:\n  main: null\n  \n  public:\n    selector:\n      app:
      public-ingressgateway\n    autoHttpRedirect:\n      enabled: true\n    servers:\n
      \   - hosts:\n        - '*.bigbang.dev'\n      port:\n        name: https\n        number:
      8443\n        protocol: HTTPS\n      tls:\n        credentialName: public-cert\n
      \       mode: SIMPLE"
  overlays: |
    {}
[istio-pilot@istiod-555fb699bc-wsv44 /]$ cat /cacerts/extra.pem 
test[istio-pilot@istiod-555fb699bc-wsv44 /]$ 

For Issue

Closes #1484 (closed)

Edited by Noah Gearhart

Merge request reports

Loading