Integrations

Cofide Connect integrates with other software and services in the Cloud Native ecosystem.

Istio

Istio is a popular and mature service mesh technology which supports integrating with SPIRE. In this mode SPIRE acts as the Certificate Authority (CA) for Istio, providing SVIDs to the Envoy proxies within the mesh. These proxies can then use the SVIDs for mutual TLS (mTLS) communication with other proxies or workloads. This allows workloads to reap the benefits of zero-trust security without needing to be SPIFFE-aware. Istio must currently be used in sidecar mode rather than Ambient mode until istio/istio#42339 is complete.

Istio Configuration

When installing Istio for use with SPIRE, care must be taken to ensure that it is configured correctly. Here is an example IstioOperator custom resource.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  profile: default
  meshConfig:
    trustDomain: local.domain
    caCertificates:
      - trustDomains:
          - other1.domain
          - other2.domain
  values:
    global:
      network: local.domain
      multiCluster:
        clusterName: local.cluster
    gateways:
      istio-ingressgateway:
        injectionTemplate: gateway
    sidecarInjectorWebhook:
      templates:
        spire: |
          spec:
            containers:
            - name: istio-proxy
              volumeMounts:
              - name: workload-socket
                mountPath: /run/secrets/workload-spiffe-uds
                readOnly: true
            volumes:
              - name: workload-socket
                csi:
                  driver: "csi.spiffe.io"
                  readOnly: true
  components:
    ingressGateways:
      - name: istio-eastwestgateway
        label:
          istio: eastwestgateway
          app: istio-eastwestgateway
          topology.istio.io/network: local.domain
        enabled: true
        k8s:
          env:
          - name: ISTIO_META_REQUESTED_NETWORK_VIEW
            value: local.domain
          service:
            ports:
            - name: status-port
              port: 15021
              targetPort: 15021
            - name: tls
              port: 15443
              targetPort: 15443
            - name: tls-istiod
              port: 15012
              targetPort: 15012
            - name: tls-webhook
              port: 15017
              targetPort: 15017
      - name: istio-ingressgateway
        enabled: true
        label:
          istio: ingressgateway
          topology.istio.io/network: local.domain

Istio must be configured with the name of the local trust domain and Kubernetes cluster, in this example local.domain and local.cluster respectively. Note that the local trust domain is referenced in several places. Istio must also be configured with the names of any federated trust domains. Here we have other1.domain and other2.domain. See the Istio documentation for further details.

This configuration provides a spire sidecar injector webhook template that can be used to provide the Istio sidecar access to the SPIRE workload API. Pods make use of the template using an annotation:

metadata:
  labels:
    sidecar.istio.io/inject: "true"
  annotations:
    inject.istio.io/templates: "sidecar,spire"
    proxy.istio.io/config: |
      proxyMetadata:
        ISTIO_META_DNS_CAPTURE: "true"
        ISTIO_META_DNS_AUTO_ALLOCATE: "true"

Alternatively, use the following in the IstioOperator custom resource to inject the SPIRE workload API to all pods by default:

spec:
  values:
    sidecarInjectorWebhook:
      defaultTemplates:
        - sidecar
        - spire

Gateways

The istio-eastwestgateway is used for federated services when the server and client are both running in Istio meshes. The istio-ingressgateway is used for federated services when the server runs in an Istio mesh and the client runs in a non-Istio Kubernetes cluster.

Important

The above Istio configuration defines two Istio gateways - istio-eastwestgateway and istio-ingressgateway, both in the istio-system namespace. Currently when using federated services in auto-discovery mode the Cofide Agent requires these exact names and namespace to be used for the Istio gateway services. Additionally, if using an ingress gateway, it must have an istio label with a value of ingressgateway. These parameters will be made configurable in the future.

Connect Configuration

When creating a cluster resource in the Connect API in which Istio will be installed, set the cluster’s profile to istio. This will cause cofidectl to generate Helm values for SPIRE Agent that allow federation in an Istio environment.

Federated Services

See Federated Services.