Skip to main content
logoTetrate Istio SubscriptionVersion: Next

Enable Workload Onboarding

In order to enable Workload Onboarding you need the following pieces of information:

  • The DNS name to assign the Workload Onboarding Endpoint
  • TLS certificate for that DNS name

For this example you will be using the DNS name onboarding-endpoint.example, as we do not expect you to use a routable DNS name.

Prepare the Certificates

For production purposes you will need to use a TLS certificate signed by a trust Certificate Authority (CA), such as Let's Encrypt or an internal CA such as Vault.

In this example you will setup an example CA which will be used throughout the rest of this guide.

Create a self-signed certificate (example-ca.crt.pem) and and CA private key (example-ca.key.pem) by issuing the following command:

openssl req \
  -x509 \
  -subj '/CN=Example CA' \
  -days 3650 \
  -sha256 \
  -newkey rsa:2048 \
  -nodes \
  -keyout example-ca.key.pem \
  -out example-ca.crt.pem \
  -config <(cat <<EOF
# section with configuration for "openssl req" command
[ req ]
distinguished_name     = req                 # name of a section containing the distinguished name fields to prompt for
x509_extensions        = v3_ca               # name of a section containing a list extentions to add to the self signed certificate

# section with a list of extentions to add to the self signed certificate
[ v3_ca ]
basicConstraints       = CA:TRUE             # not marked as critical for compatibility with broken software
subjectKeyIdentifier   = hash                # PKIX recommendation
authorityKeyIdentifier = keyid:always,issuer # PKIX recommendation
EOF
)

Then, create the certificate signing request (onboarding-endpoint.example.csr.pem) and the private key for the Workload Onboarding Endpoint (onboarding-endpoint.example.key.pem):

openssl req \
  -subj '/CN=onboarding-endpoint.example' \
  -sha256 \
  -newkey rsa:2048 \
  -nodes \
  -keyout onboarding-endpoint.example.key.pem \
  -out onboarding-endpoint.example.csr.pem

Finally create the certificate for the DNS name onboarding-endpoint.example (onboarding-endpoint.example.crt.pem) signed by the CA you created in previous steps:

openssl x509 \
  -req \
  -days 3650 \
  -sha256 \
  -in onboarding-endpoint.example.csr.pem \
  -out onboarding-endpoint.example.crt.pem \
  -CA example-ca.crt.pem \
  -CAkey example-ca.key.pem \
  -CAcreateserial \
  -extfile <(cat <<EOF
# name of a section containing a list of extensions to add to the certificate
extensions = usr_cert

# section with a list of extensions to add to the certificate
[ usr_cert ]
basicConstraints       = CA:FALSE            # not marked as critical for compatibility with broken software
subjectKeyIdentifier   = hash                # PKIX recommendation
authorityKeyIdentifier = keyid:always,issuer # PKIX recommendation

keyUsage               = digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth
subjectAltName         = DNS:onboarding-endpoint.example
EOF
)

Then deploy the certificate into the Kubernetes cluster by issuing the following command:

kubectl create secret tls onboarding-endpoint-tls-cert \
  -n istio-system \
  --cert=onboarding-endpoint.example.crt.pem \
  --key=onboarding-endpoint.example.key.pem

Install Workload Onboarding Operator

Follow the instructions in the Install Workload Onboarding Operator guide to install the Workload Onboarding Operator.

Enable Workload Onboarding

To enable Workload Onboarding in a given Kubernetes Cluster, you need to create an OnboardingPlane resource in the istio-system namespace. The Onboarding Operator will watch for this resource and start the Workload Onboarding Plane workload accordingly.

cat <<EOF | kubectl apply -f -
apiVersion: install.onboarding.tetrate.io/v1alpha1
kind: OnboardingPlane
metadata:
  name: onboarding-plane
  namespace: istio-system
spec:
  hub: addon-containers.istio.tetratelabs.com
  imagePullSecrets:
  - name: tetrate-addons-creds
  tokenIssuer:
    jwt:
      expiration: 3600s
EOF

Once you execute the above command, wait until the Workload Onboarding Plane is available.

kubectl wait --for=condition=Available -n istio-system \
  deployment/onboarding-plane

Verify the Workload Onboarding Endpoint

Since you are not using a routable DNS name, you will need to find out address of the Workload Onboarding Endpoint that has been exposed.

Execute the following to obtain the address (DNS name or IP address):

ONBOARDING_ENDPOINT_ADDRESS=$(kubectl get svc vmgateway \
  -n istio-system \
  -ojsonpath="{.status.loadBalancer.ingress[0]['hostname', 'ip']}")

You will be using the address stored in the ONBOARDING_ENDPOINT_ADDRESS environment variable throughout the rest of this guide.

Finally, execute the following command to verify that the endpoint is available for external traffic.

curl -f -i \
  --cacert example-ca.crt.pem \
  --connect-to "onboarding-endpoint.example:443:${ONBOARDING_ENDPOINT_ADDRESS}:443" \
  "https://onboarding-endpoint.example/install/"

You should see an output similar to the following:

HTTP/2 200
content-type: text/html; charset=utf-8
server: istio-envoy

<pre>
<a href="deb/">deb/</a>
<a href="rpm/">rpm/</a>
</pre>