Running the Bank-Vaults secret webhook alongside Istio

Both the vault-operator and the vault-secrets-webhook can work on Istio-enabled clusters.

We support the following three scenarios:

Scenario 1: Vault runs outside an Istio mesh, whereas the namespace where the application runs and the webhook injects secrets has Istio sidecar injection enabled
Scenario 2: The namespace where Vault is running has Istio sidecar injection enabled
Scenario 3: Both namespaces have Istio sidecar injection enabled

Prerequisites

Install the Istio operator.
Make sure you have mTLS enabled in the Istio mesh through the operator with the following command:
Enable mTLS if it is not set to STRICT:
```
kubectl patch istio -n istio-system mesh --type=json -p='[{"op": "replace", "path": "/spec/meshPolicy/mtlsMode", "value":STRICT}]'
```

Check that mesh is configured with mTLS turned on which applies to all applications in the cluster in Istio-enabled namespaces. You can change this if you would like to use another policy.

kubectl get meshpolicy default -o yaml

Expected output:

apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
  name: default
  labels:
    app: security
spec:
  peers:
  - mtls: {}

Now your cluster is properly running on Istio with mTLS enabled globally.

Install the Bank-Vaults components

You are recommended to create a separate namespace for Bank-Vaults called vault-system. You can enable Istio sidecar injection here as well, but Kubernetes won’t be able to call back the webhook properly since mTLS is enabled (and Kubernetes is outside of the Istio mesh). To overcome this, apply a PERMISSIVE Istio authentication policy to the vault-secrets-webhook Service itself, so Kubernetes can call it back without Istio mutual TLS authentication.
```
kubectl create namespace vault-system
kubectl label namespace vault-system name=vault-system istio-injection=enabled
```
```
kubectl apply -f - <<EOF
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: vault-secrets-webhook
  namespace: vault-system
  labels:
    app: security
spec:
  targets:
  - name: vault-secrets-webhook
  peers:
  - mtls:
      mode: PERMISSIVE
EOF
```

Now you can install the operator and the webhook to the prepared namespace:

helm upgrade --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --namespace vault-system --create-namespace
helm upgrade --install --wait vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator --namespace vault-system

Soon the webhook and the operator become up and running. Check that the istio-proxy got injected into all Pods in vault-system.

Proceed to the description of your scenario:

Scenario 1: Vault runs outside an Istio mesh, whereas the namespace where the application runs and the webhook injects secrets has Istio sidecar injection enabled
Scenario 2: The namespace where Vault is running has Istio sidecar injection enabled
Scenario 3: Both namespaces have Istio sidecar injection enabled

Scenario 1 - Vault runs outside, the application inside the mesh

Scenario 2 - Running Vault inside the mesh

Scenario 3 - Both Vault and the app are running inside the mesh

Last modified April 26, 2024: chore(deps): Bump actions/checkout from 4.1.2 to 4.1.3 (#222) (931903d)