Skip to main content

Integrating SPIRL with Istio

SPIRL Agents also implement the Envoy SDS API over the same socket as the SPIFFE Workload API and can be used directly with Envoy or with Istio. Istio has very strict requirements on the format of SPIFFE ID (spiffe://trust-domain/ns/namespace-name/sa/service-account-name), location of SDS API socket and socket name (/run/secrets/workload-spiffe-uds), and the name of volume where the SDS Socket is mounted (workload-socket). Therefore, SPIRL has a special mode to work with Istio.

When you install SPIRL onto a Kubernetes cluster that you intend to use with Istio, you should specify --platform istio flag when adding to cluster to your SPIRL trust domain using the spirl cluster add command:

spirlctl cluster add team-awesome --trust-domain example.com --platform istio

This will configure the SPIRL components installed into the Kubernetes cluster to work with Istio.

Using Istio Operator Injection Webhook Template

Istio Operator has a feature called Istio Sidecar injection custom template. This feature allows you to use your own template to inject Istio Sidecar into your Pods. SPIRL provides a template that you can use to inject Istio Sidecar into your Pods.

Please create file named istio-spirl.yaml with the following content:

caution

Please make sure that trustDomain in the template matches the trust domain you specified when you installed SPIRL on Kubernetes.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  profile: default
  meshConfig:
    trustDomain: example.org
  values:
    global:
    # This is used to customize the sidecar template
    sidecarInjectorWebhook:
      templates:
        spirl: |
          spec:
            containers:
            - name: istio-proxy
              volumeMounts:
              - name: workload-socket
                mountPath: /run/secrets/workload-spiffe-uds
                readOnly: true
            volumes:
              - name: workload-socket
                csi:
                  driver: "csi.spiffe.io"
                  readOnly: true
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
        label:
          istio: ingressgateway
          spiffe.io/spire-managed-identity: "true"
        k8s:
          overlays:
            - apiVersion: apps/v1
              kind: Deployment
              name: istio-ingressgateway
              patches:
                - path: spec.template.spec.volumes.[name:workload-socket]
                  value:
                    name: workload-socket
                    csi:
                      driver: "csi.spiffe.io"
                      readOnly: true
                - path: spec.template.spec.containers.[name:istio-proxy].volumeMounts.[name:workload-socket]
                  value:
                    name: workload-socket
                    mountPath: "/run/secrets/workload-spiffe-uds"
                    readOnly: true
                - path: spec.template.spec.initContainers
                  value:
                    - name: wait-for-spire-socket
                      image: busybox:1.28
                      volumeMounts:
                        - name: workload-socket
                          mountPath: /run/secrets/workload-spiffe-uds
                          readOnly: true
                      env:
                        - name: CHECK_FILE
                          value: /run/secrets/workload-spiffe-uds/socket
                      command:
                        - sh
                        - "-c"
                        - |-
                          echo "$(date -Iseconds)" Waiting for: ${CHECK_FILE}
                          while [[ ! -e ${CHECK_FILE} ]] ; do
                            echo "$(date -Iseconds)" File does not exist: ${CHECK_FILE}
                            sleep 15
                          done
                          ls -l ${CHECK_FILE}

This template will do all the necessary configuration to make Istio work with SPIRL SDS API.

Install Istio

Install Istio as usual:

istioctl install -f istio-spirl.yaml

Verify Istio Installation

Make sure that your deployment or namespace has Istio injection enabled (i.e. has the istio-injection: enabled label). This is to tell Istio to inject the Istio sidecar into your Pods.

Here is an example how to enable Istio injection for a namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: bookinfo
  labels:
    istio-injection: enabled

However, Istio will inject the sidecar using default template in this case. To use the SPIRL template you need to add the inject.istio.io/templates: "sidecar,spirl" annotation to your Pod template:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: reviews-v3
  namespace: bookinfo
  labels:
    app: reviews
    version: v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: reviews
      version: v3
  template:
    metadata:
      labels:
        app: reviews
        version: v3
        k8s.spirl.com/spiffe-csi: enabled
      annotations:
        inject.istio.io/templates: "sidecar,spirl"

After you restart your Pods you should see Istio Sidecar injected into your Pods:

kubectl get pods -n bookinfo
NAME                             READY   STATUS    RESTARTS   AGE
details-v1-6b7b4f9b7c-4q9q2      2/2     Running   0          2m

That means that Istio is injecting an Envoy sidecar into your Pods. View the Istio logs to make sure that Istio is using SPIRL SDS API:

kubectl -n bookinfo logs details-v1-74f4cbc748-7vjfm --container istio-proxy |grep SDS
2023-08-18T00:23:14.858580Z info Workload SDS socket found. Istio SDS Server won't be started

If you don't see the line Workload SDS socket found. Istio SDS Server won't be started it means something is not working properly. Please check Istio full logs and SPIRL Agent logs for errors.