Skip to content

mTLS (ACM)

Overview

In this exercise you will integrate "AWS private CA issuer" with Service Mesh Manager.

Pre-requisites

  • You have provisioned or imported an EKS cluster to Rafay console
  • You have helm 3.2+ CLI and AWS CLI installed

Setup instructions:

You will need to create 4 namespaces and 3 add-ons to integrate AWS Private CA with service mesh.

Namespaces

  • istio-system
  • cert-manager
  • aws-pca-issuer
  • acm-pca

Add-ons:

  1. cert-manager (a popular native Kubernetes certificate management controller)
  2. AWS ACM issuer
  3. cert-manager-istio-csr

Step 1: Creating Namespaces (istio-system, cert-manager, aws-pca-issuer, acm-pca)

  • Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin
  • Under Infrastructure, select "Namespaces" and create namespaces (cert-manager, istio-system, aws-pca-issuer, acm-pca)

Step 2: Install Add-ons

cert-manager

Cert-manager is a popular native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault etc. Cert-manager will ensure that certificates are valid and up to date, and attempt to renew certificates at a configured time before they expire.

To create cert-manager add-on follow the below steps:

  • Navigate to the Add-ons section
  • Click on New Add-on and select Create New Add-on from Catalog option

Create cert-manager addon

  • Search for cert-manager in the Catalog
  • Copy the values.yaml file (e.g. cert-manager-values.yaml), change installCRDs to true in the yaml
  • Click on Create Add-on
  • Provide a name (e.g. "cert-manager") and select the namespace (e.g. "cert-manager")

Create cert-manager addon

  • Click CREATE to go to next step
  • Provide a version name
  • Upload the "cert-manager-values.yaml" file
  • Click SAVE CHANGES

Create cert-manager addon

AWS ACM issuer add-on

Install the AWS PCA issuer

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
helm repo update
helm install awspca/aws-privateca-issuer  --namespace aws-pca-issuer

Ensure the pods are ready and running in the namespace.

Verify ACM pods

ACM Private CA

Create private CA

You need to create a private certificate authority in ACM private CA with RSA 2048 algorithm.

  • Navigate to AWS console and search for "ACM-PCA"
  • Click on "Create a private CA"
  • Create a general purpose certificate to ensure long validity time
  • Select RSA 2048 in key algorithm options and create the CA
  • Once created, select the certificate you just created and enable it

AWS Create CA

  • Note down the ID of the certificate and arn (visible on opening the certificate)
  • Download the certificate by clicking the "Get CA certificate" from Actions
Set node permission for ACM private CA

In order to issue a certificate from ACM Private CA, add the IAM policy from the prerequisites to your EKS NodeInstanceRole. Replace the <region>, <account_id>, and <resource_id> with the values from the CA you created earlier:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "awspcaissuer",
            "Action": [
                "acm-pca:DescribeCertificateAuthority",
                "acm-pca:GetCertificate",
                "acm-pca:IssueCertificate"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:acm-pca:<region>:<account_id>:certificate-authority/<resource_id>"
        }       
    ]
}
  • Navigate to EC2 -> Instances in AWS console and search for your cluster
  • Click on the IAM role from the instance details
  • Edit the JSON policy file by adding the above policy at the end
Create issuer in EKS

Create a yaml file with the below spec and save as aws-acm-issuer.yaml. Replace the highlighted lines with the ARN and region saved from the previous step.

apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
        name: aws-acm-issuer
spec:
        arn: <CA_ARN>
        region: <Region>

Create aws-acm-issuer add-on

  • Navigate to Project > Infrastructure > Add-Ons > Create new Add-on
  • Create the Add-On named aws-acm-issuer in acm-pca namespace with K8s yaml type
  • Create a new version of the addon by uploading the "aws-acm-issuer.yaml"

Remember to replace the highlighted line with aws-acm-issuer.

kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: rsa-cert-2048
  namespace: acm-pca
spec:
  commonName: www.rsa-2048.example.com
  dnsNames:
    - www.rsa-2048.example.com
    - rsa-2048.example.com
  duration: 2160h0m0s
  issuerRef:
    group: awspca.cert-manager.io
    kind: AWSPCAClusterIssuer
    name: aws-acm-issuer
  renewBefore: 360h0m0s
  secretName: rsa-example-cert-2048
  usages:
    - server auth
    - client auth
  privateKey:
    algorithm: "RSA"
    size: 2048

To check if the sample certificates are being issued run the below command and verify the Issuer row. kubectl get secret rsa-example-cert-2048 -n acm-pca -o 'go-template={{index .data "tls.crt"}}' | base64 --decode | openssl x509 -noout -text

Install cert-manager-istio-csr add-on from catalog

  • Navigate to Project > Infrastructure > Namespaces and create a new namespace istio-csr
  • Now navigate to Project > Catalog and search for istio-csr
  • Click on create new add-on cert-manager-istio-csr
  • Download and save the values.yaml file (You'll need to edit it to connect to the aws-acm-issuer)
  • Edit the values.yaml file as below and upload in the values.yaml file in the next page
issuer:
  # -- Issuer name set on created CertificateRequests for both istio-csr's
  # serving certificate and incoming gRPC CSRs.
  name: aws-acm-issuer
  # -- Issuer kind set on created CertificateRequests for both istio-csr's
  # serving certificate and incoming gRPC CSRs.
  kind: AWSPCAClusterIssuer
  # -- Issuer group name set on created CertificateRequests for both
  # istio-csr's serving certificate and incoming gRPC CSRs.
  group: awspca.cert-manager.io

Step 3: Deploying Service Mesh Manager

Installation Profile

  • Navigate to Service Mesh -> Installation Profiles and create a Custom Profile
  • In the installation parameters select CertManager in the Certificate Type

Step 4: Blueprint

  • Navigate to Infrastructure > Blueprint and create a new blueprint
  • Give a suitable name and scroll down to the Add-Ons section
  • Add cert-manager and version
  • Add aws-acm-issuer and a dependency on cert-manager
  • Add istio-csr and a dependency on cert-manager and aws-acm-issuer
  • Save changes and update the blueprint.

Step 5: Install and test a demo app

Follow the instructions in Get Started to deploy a test application in your cluster.

Recap

At this point you have successfully created AWS private CA issuer and deployed Rafay Service Mesh manager to utilize the certificates to secure service-to-service communication in your cluster.