v0.11.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.11.0 further enhances support for runtime configuration, enabling "pure" runtime configuration where istio-csr can be installed at the same time as cert-manager. It also enables client cert auth via a great contribution from @wtzhang23, which provides an alternative method for workloads to renew their certificates.

JSON logging is also added for the first time, with some caveats!

Feature Overview

Pure Runtime Configuration

istio-csr v0.10.0 added initial support for runtime configuration, allowing the issuer to be changed easily after istio-csr starts. That release still, in practice, needed an issuer to be configured before istio-csr was installed, in order to provision the istiod cert and for initial configuration of istio serving certs.

v0.11.0 adds "pure" runtime configuration, allowing istio-csr and cert-manager to be installed entirely concurrently. To achieve this, istio-csr gains the ability to dynamically provision an istiod cert, and now waits for issuer configuration before any attempts to issue serving certs.

An example of runtime-configured istio-csr would use the following values.yaml:

app:
  runtimeIssuanceConfigMap: runtime-config-map
  certmanager:
    issuer:
      # explicitly blank these values out, since they're defaulted
      name: ""
      kind: ""
      group: ""
  tls:
    istiodCertificateEnable: "dynamic" # new in v0.11.0!

Note that istio-csr pods won't report as "ready" until an issuer is configured, so a Helm install won't complete until you've created a ConfigMap specifying an issuer!

$ kubectl create configmap runtime-config-map -n cert-manager \
        --from-literal=issuer-name=istio-ca \
        --from-literal=issuer-kind=Issuer \
        --from-literal=issuer-group=cert-manager.io

Client Cert Auth

Previously, workloads attempting to renew their serving certs with istio-csr were required to present their Kubernetes JWT for validatio. Istio (when used without istio-csr) allows for several auth methods, including client cert auth where the already-provisioned mTLS certificate can be used as auth.

Now, istio-csr has gained support for client cert auth, using the trusted CA bundle already supported in istio-csr. The functionality is behind a flag, and can be enabled with a Helm value: --set app.server.authenticators.enableClientCert=true.

JSON Logging

Thanks to the new logFormat Helm value, JSON logging can be enabled for istio-csr: --set app.logFormat=json.

JSON logs are now used by default in several istio-csr tests, and are very useful for parseable structured logs. The caveats are twofold:

• First, there's no guarantee that all output will be in JSON format. In testing, logging seemed to consistently in JSON but it's possible that there could be some text output
• Second, log formats are not currently consistent - different log lines may have different keys.

We'd appreciate contributions if anyone is willing to work on these caveats!

What's Changed

Runtime Configuration

• Add ability to dynamically configure istiod cert by @SgtCoDFish in #359
• Add retries for issuing initial serving cert by @SgtCoDFish in #364

JSON Logs

• Add flag to set log-format by @seankhliao in #354
• Test with JSON logs, improve logs aesthetics for JSON by @SgtCoDFish in #356
• Configure istio logging when JSON selected by @SgtCoDFish in #358

Other

• Disable kubernetes client side rate limiting by @seankhliao in #352
• Implement client cert auth by @wtzhang23 in #357
• Add topologySpreadConstraints to Helm chart by @SgtCoDFish in #365
• Helm updates for istiod cert by @SgtCoDFish in #355
• Add some release detail which appears to be missing by @SgtCoDFish in #366

New Contributors

• @seankhliao made their first contribution in #354
• @wtzhang23 made their first contribution in #357

Full Changelog: v0.10.0...v0.11.0

v0.11.0-alpha.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.11.0-alpha.0 is a prerelease for testing of "pure" runtime configuration, topologySpreadConstraints support, JSON logs and client cert auth.

Full release notes will be provided when v0.11.0 is released!

What's Changed

Runtime Configuration

• Add ability to dynamically configure istiod cert by @SgtCoDFish in #359
• Add retries for issuing initial serving cert by @SgtCoDFish in #364

JSON Logs

• Add flag to set log-format by @seankhliao in #354
• Test with JSON logs, improve logs aesthetics for JSON by @SgtCoDFish in #356
• Configure istio logging when JSON selected by @SgtCoDFish in #358

Other

• Disable kubernetes client side rate limiting by @seankhliao in #352
• Implement client cert auth by @wtzhang23 in #357
• Add topologySpreadConstraints to Helm chart by @SgtCoDFish in #365
• Helm updates for istiod cert by @SgtCoDFish in #355

New Contributors

• @seankhliao made their first contribution in #354
• @wtzhang23 made their first contribution in #357

Full Changelog: v0.10.0...v0.11.0-alpha.0

v0.10.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.10.0 provides some cool new features - initial support for easier runtime configuration, support for the s390x architecture and dependency updates!

Initial Runtime Configuration Support

istio-csr requires cert-manager to be installed to be able to issue certificates; using cert-manager to issue istio certificates is the whole reason to use istio-csr!

More subtly, istio-csr actually requires a cert-manager issuer to be created before istio-csr is installed. This issuer is used to issue the istiod certificate, the istio serving certificate and workload certificates.

This dependency means that it's not possible to install istio-csr and cert-manager at the same time, which can be a problem for some users and some installation methods. Runtime configuration aims to solve that problem, by allowing the issuer to be defined at runtime through a ConfigMap resource in the same namespace as the istio-csr pods.

Plus, since the issuer is defined at pod startup time (via the Helm chart) it's not possible to swap out an issuer on the fly while istio-csr pods are running. Runtime configuration changes this:

$ kubectl create configmap -n cert-manager istio-issuer \
  --from-literal=issuer-name=my-issuer-name \
  --from-literal=issuer-kind=ClusterIssuer \
  --from-literal=issuer-group=cert-manager.io

$ cat values.yaml
app:
  runtimeIssuanceConfigMap: istio-issuer
  certmanager:
    issuer:
      name: ""
      kind: ""
      group: ""
  tls:
    rootCAFile: "/var/run/secrets/istio-csr/ca.pem"
    istiodCertificateEnable: false
volumeMounts:
- name: root-ca
  mountPath: /var/run/secrets/istio-csr
volumes:
- name: root-ca
  secret:
    secretName: istio-root-ca

$ helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
  --install \
  --namespace cert-manager \
  --wait \
  --values values.yaml

This initial support does require that the istiod certificate is disabled, which means there's a need to provision that certificate ahead of installing istio-csr.

Alternatively,istiodCertificateEnable can be left as true and app.certmanager.issuer can be provided. This will still require cert-manager to be installed and configured before istio-csr, but this will enable being able to change certificates on the fly.

A future release of istio-csr should help with provisioning the istiod certificate dynamically, allowing for true runtime configuration.

s390x Support

Thanks to @rishikakedia istio-csr now supports the s390x architecture! While the cert-manager's project to test on s390x is limited, we hope this support is useful and we'd be happy to action any bugs you find!

What's Changed

Features

• Add ability to configure issuer at runtime by @SgtCoDFish in #343
• Add support for s390x for istio-csr by @rishikakedia in #323
• Bump dep for CVE-2024-28122, ignore false positive istio vulns by @SgtCoDFish in #344
• Add nameOverride to values.yaml so it is allowed by the jsonSchema validation by @inteon in #349

Testing / Documentation

• docs: add RELEASE.md file to document release by @ThatsMrTalbot in #316
• Add option to focus a specific e2e test by @SgtCoDFish in #341
• Add updated versions of istio config to enable tests by @SgtCoDFish in #345
• Increase timeout for namespace e2e test polling by @SgtCoDFish in #348

New Contributors

• @rishikakedia made their first contribution in #323 🎉

Full Changelog: v0.9.0...v0.10.0

v0.9.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This release upgrades the Go version used to build to 1.22.3 and bumps all Go dependency versions.

Additionally, this PR contains small bug fixes ands tests for istio 1.20. Lastly, this PR adds json-schema validation to the Helm chart.

What's Changed

• Hef/csr p384 generation fix by @SpectralHiss in #274
• Bump to latest Istio version for E2E tests by @MattiasGees in #271
• Helm Uniformize label options by @inteon in #280
• Helm: set linux nodeSelector by default by @inteon in #315
• Remove README header since it is already included in the artifacthub sidebar by @inteon in #267
• Fix values.yaml by @inteon in #268
• Enable helm-tool linter and schema generator by @inteon in #258

Version bumps

• Bump the all group with 2 updates by @dependabot in #272
• Bump the all group with 7 updates by @dependabot in #275
• Bump the all group with 2 updates by @dependabot in #281
• Bump the all group with 13 updates by @dependabot in #290
• Bump the all group with 3 updates by @dependabot in #295
• Bump the all group across 1 directory with 8 updates by @dependabot in #303
• Bump github.com/cert-manager/cert-manager from 1.14.4 to 1.14.5 in the all group by @dependabot in #304
• Bump the all group across 1 directory with 4 updates by @dependabot in #310
• Bump the all group across 1 directory with 4 updates by @dependabot in #314

Full Changelog: v0.8.1...v0.9.0

v0.8.1

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

What's Changed

• add ability to provide additional DNS names to istiod certificate by @apsega in #262
• Update Chart.yaml properties by @inteon in #263
• [CI] Merge self-upgrade into main by @github-actions in #264
• Bump the all group with 1 update by @dependabot in #265
• Bump the all group with 1 update by @dependabot in #261

New Contributors

• @apsega made their first contribution in #262

Full Changelog: v0.8.0...v0.8.1

v0.8.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

Breaking Changes

This release of istio-csr changes how containers are built, which in turn changes the path at which the binary can be found inside the container.

This means that new container images cannot be used with older Helm charts, or with any software which expects the old path.

For the simplest upgrade experience, use the latest helm chart with the latest image.

What's Changed

• Upgrade ginkgo to v2 by @inteon in #225
• Add spectralhiss as reviewer for istio-csr by @SgtCoDFish in #241
• chore: add thatsmrtalbot as reviewer by @ThatsMrTalbot in #250
• Set controller-runtime global logger by @inteon in #247
• Cleanup chart properties by @inteon in #255
• Use Helm template to generate image OCI path by @inteon in #254
• Use helm tool by @inteon in #256

Dependabot updates

• Bump the all group with 11 updates by @dependabot in #227
• Bump the all group with 3 updates by @dependabot in #238
• Bump the all group with 7 updates by @dependabot in #248

Makefile updates

• Migrate makefiles and CI/CD by @inteon in #221
• Use upstream images instead of custom built images by @inteon in #226
• Upload junit and coverage results to ARTIFACTS folder by @inteon in #229
• Upgrade repository-base module by @inteon in #237
• Upgrade oci-image module by @inteon in #245
• Preload images used in e2e tests by @inteon in #230
• Use standardised release process by @inteon in #252
• Fix typo which defines unused variable by @SgtCoDFish in #253
• [CI] Merge self-upgrade into main by @github-actions in #259

New Contributors

• @github-actions made their first contribution in #228
• @dependabot made their first contribution in #227
• @ThatsMrTalbot made their first contribution in #250

Full Changelog: v0.7.1...v0.8.0

v0.8.0-alpha.0

What's Changed

• Add spectralhiss as reviewer for istio-csr by @SgtCoDFish in #241
• chore: add thatsmrtalbot as reviewer by @ThatsMrTalbot in #250
• Set controller-runtime global logger by @inteon in #247

Dependabot updates:

• Bump the all group with 11 updates by @dependabot in #227
• Bump the all group with 3 updates by @dependabot in #238
• Bump the all group with 7 updates by @dependabot in #248

Makefile updates:

• Migrate makefiles and CI/CD by @inteon in #221
• Upgrade ginkgo to v2 by @inteon in #225
• Upgrade oci-image module by @inteon in #245
• Preload images used in e2e tests by @inteon in #230
• Use standardised release process by @inteon in #252
• Upload junit and coverage results to ARTIFACTS folder by @inteon in #229
• Upgrade repository-base module by @inteon in #237
• Use upstream images instead of custom built images by @inteon in #226
• [CI] Merge self-upgrade into main by @github-actions in #228
• [CI] Merge self-upgrade into main by @github-actions in #232
• [CI] Merge self-upgrade into main by @github-actions in #234
• [CI] Merge self-upgrade into main by @github-actions in #235
• [CI] Merge self-upgrade into main by @github-actions in #236
• [CI] Merge self-upgrade into main by @github-actions in #239
• [CI] Merge self-upgrade into main by @github-actions in #240
• [CI] Merge self-upgrade into main by @github-actions in #242
• [CI] Merge self-upgrade into main by @github-actions in #243

New Contributors

• @github-actions made their first contribution in #228
• @dependabot made their first contribution in #227
• @ThatsMrTalbot made their first contribution in #250

Full Changelog: v0.7.1...v0.8.0-alpha.0

v0.7.1

istio-csr secures Istio workloads and control plane components using cert-manager.

v0.7.1 is a patch release updating some dependencies to fix publicly known CVEs - specifically the HTTP/2 stream cancellation / rapid reset bug (CVE-2023-44487 and CVE-2023-39325), although some other upgrades are included too.

What's Changed

• Dependency bumps by @SgtCoDFish in #219
• Add "inner workings" section to README.md by @inteon in #204

Full Changelog: v0.7.0...v0.7.1

v0.7.0

istio-csr secures Istio workloads and control plane components using cert-manager.

What's Changed

• Allow ECDSA serving certificate by @Alkemic in #179
• Add IstioOperator CR for v1.17.0 by @inteon in #194
• Bump deps by @irbekrm in #207
• Update istio libs by @irbekrm in #209
• Add namespace values in Helm template by @inteon in #206
• Add ability to specify extra annotations on CRs by @aidy in #212
• Change versions from v0.6.0 to v0.7.0 by @inteon in #214

New Contributors

• @Alkemic made their first contribution in #179
• @aidy made their first contribution in #212

Full Changelog: v0.6.0...v0.7.0

v0.6.0

What's Changed

• fix: metrics service labels by @konnoska in #181
• Fix serviceaccount imagePullSecret by @craigmunro in #182
• A service isn't a requirement for the servicemonitor by @MattiasGees in #114
• Update go to 1.19, update dependencies by @malovme in #190
• Remove controller.rootCAConfigMapName from helm values by @jewertow in #188
• Add support for setting namespace for istio control plane. Fixes #152 by @knutejohKLP in #185
• Update OWNERS file by @inteon in #193
• Limit namespaces for configmaps, useful for multitenant environments by @knutejohKLP in #195
• Remove unused LeaderElectionNamespace field by @inteon in #198
• Seperate Role permissions between leases for leader election and cert… by @SpectralHiss in #196
• Release v0.6.0-alpha.0 by @SpectralHiss in #201
• Release v0.6.0 by @inteon in #203

New Contributors

• @konnoska made their first contribution in #181
• @craigmunro made their first contribution in #182
• @MattiasGees made their first contribution in #114
• @malovme made their first contribution in #190
• @jewertow made their first contribution in #188
• @knutejohKLP made their first contribution in #185
• @inteon made their first contribution in #193

Full Changelog: v0.5.0...v0.6.0