Update Cilium to work with Istio and create a self-signed certificate for Istio
Title: Update Cilium to work with Istio and create a self-signed certificate for Istio
Author: Mitch Murphy
Date: 2024-03-16
Introduction
In this post we are going to update Cilium to work with Istio and create self-signed certificates for Istio.
As discussed in my previous post, Cilium, when replaceing kube-proxy, provides very powerful features which can increase performance for large Kubernetes clusters. While Cilium does offer a service mesh (with mTLS), it is still in beta and other solutions such as Istio are quite mature and offer a lot of capabilities.
When utilizing alternative networking infrastructure, the underlying Cilium eBPF implementation that replaces kube-proxy may inadvertently reveal itself and lead to unexpected behaviors. This becomes evident when attempting to integrate Istio service mesh with Cilium’s kube-proxy replacement, as the default replacement of kube-proxy can disrupt Istio’s functionality.
Pre-requisites
This blog post had a profound impact on the creation of the one you’re reading now.
Update Cilium chart
helm upgrade cilium \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set socketLB.hostNamespaceOnly=true
Create Istio Namespace
kubectl create namespace istio-system
Note that you can also specify the creation of the namespace in the below script.
Create self-signed certificate
For this step we are going to use a few scripts from the istio repository. These tools can be found here. The first step is to create the namespace and then generate the self-signed certificate that Istio will be using (here we are assuming 3 clusters). The following script will create the certificates and then create the secrets in each cluster (you must have the kubeconfig
for each cluster in order to run the script).
You can find the scripts at the following location: istio-tools, the specific script is make-certs.sh.
TODO: real world example(s)