Vault CA support for Istio 1.3

https://istio.io/news/2019/announcing-1.3/ mentioned:

Blockquote
Removed integration with Vault CA temporarily. SDS requirements caused the temporary removal but we will reintroduce Vault CA integration in a future release.

I want to make sure I understand that correctly… Does that mean there is no option use Vault with citadel? If that’s the case, where will the support be added back?

@leitang

Sorry for the misleading message. Actually using Vault with Citadel should be supported, The affected use case is that Vault directly interacting with the Citadel Agent, because we have not verified that Vault is able to authenticate the Trustworthy JWTs. Lei can give you more information.

How about Keycloak Server? Is there anyway for it to interact with the Citadel agent? And can it authenticate the Trustworthy JWTs?

In current Istio implementation, Vault integration is through Citadel Agent, not through Citadel. Due to Trustworthy JWT, Istio 1.3 temporarily removed integration with Vault CA. It is TBD when Istio 1.3 will add back Vault support.
As to Keycloak Server, Istio currently does not support integration with Keycloak server yet.

@leitang I am a bit confused now. Do steps on https://archive.istio.io/v1.2/docs/tasks/security/vault-ca/ still work for Istio 1.3. If not, how do I configure Istio 1.3 to integrate with Vault for provisioning certificates for service mesh?

Due to Trustworthy JWT, the steps on https://archive.istio.io/v1.2/docs/tasks/security/vault-ca/ will not work for Istio 1.3. It is TBD when Istio 1.3 will add back Vault support.

So what are the options for people who want to use Vault for Istio until that support is added back? stay with Istio 1.2.x? I think it’s going to be disruptive switch to Vault for existing services running Istio 1.3 when the Vault support is back, right?

How are you using Vault with Istio now? Are you deploying Vault in the same cluster as your Istio cluster?

Besides Istio 1.2.x, another possible option is to add a flag to Istio 1.3 to choose whether using trustworthy JWT or not, which will avoid disrupting Vault for existing services running Istio 1.3.

Add @Oliver, @rlenglet regarding to the planning of adding the Vault support back to Istio 1.3.

We haven’t started using Vault with Istio yet; however, we already have Vault running outside of k8s. We’d to integrate Vault with Istio and want to make sure we have a clear path forward.

The task here https://archive.istio.io/v1.2/docs/tasks/security/vault-ca/ is just a toy example. I still think you can use Istio 1.3 with Vault. However, Vault needs to check if the audience of the jwt is istio-ca or not (but this is configurable).

Thanks. Is there a doc that details the step? This will not disrupt services vault support is added back, correct?

I don’t think there is a doc yet. (I don’t think there is a doc from istio.io that shows how to use Vault in prod env, we had just a toy example). What is your setup like?

If you look at the example before, every service is using the same service account, vault-citadel-sa, which means every service carries the same identity. This is what I meant when I said it’s just a toy example.

To add to this, if you’re running Vault on the same cluster as Istio workloads, I think it should be fine. But if you’re running Vault on another k8s cluster, you need to sync Istio cluster service accounts with Vault service accounts. Vault sends the jwt represents the service accounts to the api server for authenticating the jwt.

The task on istio.io and the PR provide an example that uses a k8s JWT for authentication, but it does not mean all services must use the same JWT for authentication: an user may configure multiple JWTs on Vault for issuing certificates with different identities and a service may use its own JWT to request a certificate.

So vault support for Istio with trustworthy JWT is gated on vault adding support for trustworthy JWT?

Yes. AFAIK, Hashicorp is working on such support for Vault.