Istio operator: pass ingress mTLS certs via files instead of secrets

Security
1

I am trying to pass mTLS certs to istio ingress gateway via files and not via secrets. Vault init-container will store certs at

/etc/istio/ingressgateway-certs/tls.key
/etc/istio/ingressgateway-certs/tls.cert
/etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem

So I m trying to remove ‘secret’ element via patch like this

      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].emptyDir
        value: {}
      - path: spec.template.spec.volumes[name:ingressgateway-certs].emptyDir
        value: {}
      - path: spec.template.spec.volumes[name:ingressgateway-certs].secret
      - path: spec.template.spec.volumes[name:ingressgateway-certs].secret.secretName
      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].secret.secretName
      - path: spec.template.spec.volumes[name:ingressgateway-ca-certs].secret

but it is not working. Doc says, “For delete, value should be unset.”

https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#K8sObjectOverlay-PathValue

istioctl manifest generate command still includes secret section. I also tried setting the value to “unset” but (as exptected) ended up using unset as literal value for secret name. Any pointers are appreciated.

2

Used this to delete it since vault sidecar will mount it.

- path: spec.template.spec.volumes[name:ingressgateway-ca-certs]         
- path: spec.template.spec.volumes[name:ingressgateway-certs]
1 Like
3

In the end it was easier to change the certificate path to something else instead of trying to use default path.

     - path: spec.servers[0].tls
       value:
         caCertificates: /etc/istio/ingressgateway-ca/certs/ca-chain.cert.pem
         mode: MUTUAL
         privateKey: /etc/istio/ingressgateway/certs/tls.key
         serverCertificate: /etc/istio/ingressgateway/certs/tls.crt