Add TID CA rotation guide and CI workflow #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces a comprehensive README for Tetrate Istio Distribution (TID) installation with automated CA rotation using cert-manager, including architecture diagrams and troubleshooting. Adds GitHub Actions workflow for validation, reference documentation for certificate rotation, automation scripts, and removes legacy GetMesh/TSB instructions and images.
Replaces image-based architecture diagrams with inline Mermaid diagrams in README and documentation files for improved clarity and maintainability. Updates the GitHub workflow to install and configure Kind manually instead of using the helm/kind-action. Removes obsolete diagram files from the images directory.
Eliminated the creation of the istio-ingress namespace and installation of the Istio Gateway from both the GitHub workflow and install script. This streamlines the TID installation process and removes related pod verification steps.
Enhanced scripts and documentation to automatically detect and handle multiple possible key formats for Istio CA certificates in the 'cacerts' secret (e.g., 'ca-cert.pem', 'tls.crt'). Updated workflow, scripts, and guides to provide robust certificate expiry, issuer, and rotation validation, including improved troubleshooting and monitoring commands.
Updated tid-validation workflow to use istioctl 1.21.0 for compatibility with TID 1.24.0 and added fallback logic for certificate validation and rotation when istioctl fails. Documentation in README.md and CERTIFICATE-REFERENCE.md now includes notes and alternative methods for certificate validation in case of istioctl version mismatches.
Enhanced workflow steps to ensure Istio sidecars are fully initialized before mTLS tests. Added extra waits, readiness checks, and more reliable mTLS communication tests using the curl deployment and a dedicated test pod. Improved debugging output and certificate validation after pod restarts.
Renamed the GitHub Actions workflow to venafi-integration-validation and updated it to validate Venafi Cloud integration with Istio using istio-csr and cert-manager. Added VENAFI-INTEGRATION.md with setup and architecture details, updated README.md to focus on Venafi Cloud integration, and replaced TID references. Added scripts for installing Venafi components and Istio integration. Enhanced automation and documentation for enterprise certificate lifecycle management in Istio service mesh.
Upgrades KIND, Kubernetes, and Istio versions in the Venafi integration workflow and refactors IstioOperator configuration for external CA integration. Expands and modernizes the CERTIFICATE-REFERENCE.md with Venafi Cloud details, updated configuration examples, monitoring, troubleshooting, and operational guidance. Removes legacy scripts for Tetrate Istio Distribution and CA rotation setup, as these are now superseded by the Venafi integration workflow.
Simplifies and updates the IstioOperator YAML example for Venafi integration, reflecting changes in configuration fields and environment variables. The new example uses the cert-manager-istio-csr profile and disables the CA server functionality in istiod.
Revised authentication steps to use service account creation and docker config output. Updated Kubernetes manifest application command to use 'venctl tool sync'. Added venafi_registry_docker_config.json as an example output file.
Removed Venafi integration scripts, documentation, and workflow in favor of a new GitHub Actions CI workflow that tests Istio CA certificate rotation using cert-manager with a self-signed issuer. Updated README to reflect the new approach and added scripts for cert-manager, Istio installation, and CA setup. Cleaned up obsolete files related to Venafi integration.
Simplifies Istio installation by removing explicit AUTO_RELOAD_PLUGIN_CERTS configuration, as certificate auto-reload is now enabled by default in Istio 1.25.2. Updates documentation and scripts to reflect new versions and behavior.
Bumped KIND to v0.29.0 and Kubernetes to v1.32.5 in CI workflow. Expanded the README with detailed mermaid diagrams illustrating certificate issuance flow, certificate files and secrets, and mTLS certificate chain for improved documentation and clarity.
Replaces kubectl exec with kubectl run using curlimages/curl for mTLS connectivity tests in CI, README, and verify-setup.sh. Adds steps and documentation for verifying sidecar certificates and extracting issuer details using istioctl and openssl. Enhances script output for clarity during setup verification.
Introduces a curl-test deployment using the netshoot image in both CI workflow and verify-setup.sh script. Updates connectivity test to use kubectl exec on the curl-test deployment instead of running a temporary curl pod. Also sets ISTIO_VERSION and updates PATH in verify-setup.sh.
Eliminated certificate rotation and reload verification steps from CI workflow and removed related force renewal instructions from README. This streamlines the workflow and documentation by omitting manual certificate renewal testing.
Added kubectl wait commands for the curl-test pod in both the CI workflow and verify-setup.sh script to ensure the pod is ready before running connectivity tests. This improves reliability of the deployment and testing process.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduces a comprehensive README for Tetrate Istio Distribution (TID) installation with automated CA rotation using cert-manager, including architecture diagrams and troubleshooting. Adds GitHub Actions workflow for validation, reference documentation for certificate rotation, automation scripts, and removes legacy GetMesh/TSB instructions and images.