Skip to content

Envoy SDS API integration

Envoy SDS API integration refers to the mechanism by which external certificate authorities (CAs) and secret management systems provide cryptographic material dynamically to Envoy proxies. This allows workloads to obtain identities, such as mTLS certificates, directly from a provider like [[spire|SPIRE]] via the Secret Discovery Service (SDS) without requiring file system volume mounts or restarts^[README.md].

Integration with SPIRE

In an Istio Service mesh, this integration enables SPIRE to act as the CA instead of the default Istio Citadel^[README.md]. The workflow involves deploying SPIRE before Istio to facilitate proper socket injection and then configuring Istio to utilize SPIRE for workload identity^[README.md].

The integration relies on the automatic handling of workload registration, managed by the k8s-workload-registrar^[README.md]. A custom istio-agent configuration is typically required to bridge the Envoy proxy with the SPIRE agent socket^[README.md].

Deployment Steps

To deploy this integration, the general sequence involves:

  1. Deploying SPIRE: This step is critical and must be performed prior to installing Istio to ensure proper socket injection^[README.md].
  2. Installing Istio: Using a specific configuration profile (e.g., istio-spire-config.yaml) that enables the integration^[README.md].
  3. Deploying Workloads: Applying workloads (like the sleep service) that inject the custom agent template^[README.md].
  4. Validation: Retrieving the via istioctl proxy-config secret and verifying the issuer (e.g., checking for "O = SPIRE") using openssl^[README.md].
  • SPIRE
  • Istio
  • [[Zero Trust Networking]]
  • [[Mutual TLS]]

Sources

^[README.md]