From 33da95700b2a8fff8b67423bc3f5a4ae326a2827 Mon Sep 17 00:00:00 2001 From: jaellio Date: Fri, 17 Mar 2023 12:14:37 -0700 Subject: [PATCH] Add feature page for custom ca integration using k8s CSR Signed-off-by: jaellio --- features.yaml | 10 +- features/custom_ca_k8s_csr.md | 230 ++++++++++++++++++++++++++++++++++ 2 files changed, 239 insertions(+), 1 deletion(-) create mode 100644 features/custom_ca_k8s_csr.md diff --git a/features.yaml b/features.yaml index d716e22..26c1bee 100644 --- a/features.yaml +++ b/features.yaml @@ -276,6 +276,14 @@ features: maturity: Experimental nextExpectedPromotion: "" area: Security and policy enforcement + - name: "Custom CA Integration using Kubernetes CSR" + id: "security.custom_ca_integration" + link: "/docs/tasks/security/cert-management/custom-ca-k8s" + level: + checklist: features/custom_ca_k8s_csr.md + maturity: Experimental + nextExpectedPromotion: "" + area: Security and policy enforcement - name: "In-Cluster Operator" id: "core.in_cluster_operator" link: "/docs/setup/install/operator/" @@ -399,7 +407,7 @@ features: id: "core.dual_stack" level: checklist: features/dual-stack-support.md - maturity: Experimental + maturity: Experimental maturityNotes: Dual Stack IPv4 and IPv6 is supported. nextExpectedPromotion: "" area: Core diff --git a/features/custom_ca_k8s_csr.md b/features/custom_ca_k8s_csr.md new file mode 100644 index 0000000..b3eb9f1 --- /dev/null +++ b/features/custom_ca_k8s_csr.md @@ -0,0 +1,230 @@ +[//]: # (The syntax preceeding this line is a comment marker used to help guide the author in populating this document) +[//]: # (to github. Unlike HTML comments commonly used throughout istio.io documentation, this comment will not be rendered) +[//]: # (by github. Comments must be separated by carriage return preceding and concluding the text and be a single line.) + +[//]: # (This is a living document representing the maturity of a feature. Completion of this template enables Istio work groups) +[//]: # (to collect information on potential new functionality. This template should be completed before users are exposed to) +[//]: # (any new experimental feature. Please complete this template during development.) + +[//]: # (The feature implementation section must be completed before submission of the document.) + +# Feature: + +[//]: # (All information in this section is mandatory.) + +**Feature name:** + +Custom CA Integration using Kubernetes CSR +[//]: # (The name of the feature, e.g. Multiple control planes) + +**Primary lead(s):** + + +[//]: # (The primary lead or leads responsible for the feature. These individuals serve as a point of contact for the feature.) + +**Short description:** + +Provision Workload Certificates using a custom certificate authority that integrates with the Kubernetes CSR API. +[//]: # (A short description of the feature. One or two sentences maximum.) + + +**Design Docs:** + +* [Istio Integrating with custom CAs](https://docs.google.com/document/d/1KAw8-0FivdYQAcWMVTMl-JYvVCn2fpNTbu6Ya3y9d1E/) +* [Istio - Custom CA Integration with Istiod as RA](https://docs.google.com/document/d/1AvhgOU4vlmSOtIUsOZYa5R4Dz8NHzuaCi_Y0FrSAceM/) +* [Istio custom CA Integration: Implementation Spec](https://docs.google.com/document/d/1X_BSNv7EztNAvND1JJs9YKFzWzn65cYXMeTkPh9ncr4/) + +[//]: # (Design docs for feature) + + +**Relevant Documentation:** + +* https://istio.io/latest/docs/tasks/security/cert-management/custom-ca-k8s/ +* https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/ + +[//]: # (Links to relevant documentation for feature) + +**RFC:** + +[//]: # (Link to RFC for feature) +N/A. Design doc presented instead. + + +--- + +## Experimental + +### Requirements: + +[//]: # (All information in this section is mandatory for promotion. Please modify the links in this) +[//]: # (section.) + +- [ ] [User stories](insert_your_link_here) reviewed in a work group meeting. + +[//]: # (User stories are a way to communicate user value. User stories follow the style) +[//]: # (as a [type of user], I want [an action] so that [a benefit/a value]. Istio currently has no user) +[//]: # (story template. Maybe you can make one?) + +[//]: # (User stories must be presented in a work group meeting. They need no approval and are later integrated) +[//]: # (into the RFCs, which do need approval for alpha. You may find value to negotiate within the work group where the) +[//]: # (user stories are presented to help clarify the user stories.) + +- [ ] [RFC Authored] - [create an RFC using template](https://docs.google.com/document/d/1ewJoCcw5-04crH-M0xw4zFxz1cfwVCPnNyW4K3m4Yyc/template/preview). + +> Design Doc : + +[//]: # (An RFC is mandatory to graduate to experimental. The RFC does not have to be reviewed in a work group) +[//]: # (meeting to graduate to experimental.) + +- [X] [Documentation](insert_your_link_here) for enabling and using the feature. + +> A task is created for the feature : https://istio.io/latest/docs/tasks/security/cert-management/custom-ca-k8s/ + +[//]: # (The documentation instructions may exist on the developer wiki or the team drive. They may include instructions) +[//]: # (for building running a `istioctl experimental command`, or using the preview profile,) +[//]: # (or any other relevant information.) + +- [ ] [Feedback plan](insert_your_link_here). + +[//]: # (This may include user feedback meetings, discuss.istio.io conversations, GitHub issues, or mailing lists.) + +- [X] Disabled by default. + +- [X] No impact on performance when the feature is disabled. + + +[//]: # (Once all other items are completed, features.yaml should be updated to promote the feature) + +- [X] [features.yaml](https://github.com/istio/enhancements/blob/master/features.yaml) updated for this feature +--- + +## Alpha + +### Requirements: + +**Design** + +- [] RFC has been approved describing the intention of the feature as well as the user stories behind the feature. + +**Config** + +- [] Explicit user action is required to enable this feature (e.g. a config field, config resource, or installation action). + +**Docs** + +- [] Reference docs are published to preliminary.istio.io or the Istio wiki. + +- [] Basic feature docs are published on preliminary.istio.io describing what the feature does, how to use it, and any caveats. + +- [] Release notes entries added as appropriate + +- [] Upgrade notes entries added as appropriate + +**Tests** + +- [] Automated integration tests cover core use cases with the feature enabled. +- [] When disabled, the feature does not affect system stability or performance. + +**API** + +- [ ] Initial API review. + +**Approvals** + +- [] The appropriate work group(s) have reviewed and approved promotion of the feature. +- [] The TOC has reviewed and approved promotion of the feature as part of the + roadmap for a release. + +**Promotion** + +[//]: # (Once all other items are completed, features.yaml should be updated to promote the feature) + +- [] [features.yaml](https://github.com/istio/enhancements/blob/master/features.yaml) updated for this feature + +--- + +## Beta + +### Requirements: + +**Design** + +- [] Design doc describing the intention of the feature, how it will be + implemented, and any thoughts on how to test the feature has been approved by + relevant work group leads +- [] Feature coverage and test plans written and approved. + +**Docs** + +- [ ] Documentation on istio.io includes performance expectations; may have caveats. +- [] Documentation on istio.io includes samples/tutorials. +- [] Documentation on istio.io includes appropriate glossary entries. +- [] All new documentation containing user actions includes istio.io tests. +- [] Release notes have been added. +- [] Upgrade notes have been added. + +**Tests** + +- [] Integration tests cover feature edge cases +- [] End-to-end tests cover samples/tutorials +- [] Fixed issues have tests to prevent regressions +- [ ] Stability/stress test suite includes coverage for the feature. + +**Performance** + +- [ ] Feature coverage and test plans written and approved +- [ ] Tests exist with the feature enabled that can be integrated with our automated performance testing. + +**API** + +- [ ] TOC has reviewed the API and determined it to be complete. + +**Tooling** + +- [ ] Any necessary tooling to use/debug the feature has been implemented and is complete. + +**Bugs** + +- [] Feature has no known major issues. + +**Approvals** + +- [] The appropriate work group(s) have reviewed and approved promotion of the feature. +- [ ] The supportability review panel has reviewed promotion of the feature. +- [ ] The TOC has reviewed and approved promotion of the feature as part of the + road map for a release. + + +**Promotion** + +[//]: # (Once all other items are completed, features.yaml should be updated to promote the feature) + +- [] [features.yaml](https://github.com/istio/enhancements/blob/master/features.yaml) updated for this feature +--- + +## Stable + +### Requirements: + +**Performance** + +- [ ] Latency, throughput, and scalability are quantified and documented on + istio.io. + +**Bugs** + +- [ ] Feature has no known major issues. + +**Approvals** + +- [ ] The appropriate work group(s) have reviewed and approved promotion of the feature. +- [ ] The [supportability review panel](https://docs.google.com/document/d/1w0epyFhhDSf_TwFEfa_lrn1v61mXNJKpEp_kUgp4sSc/edit#) has reviewed the feature in order to find any supportability concerns. +- [ ] The TOC has reviewed and approved promotion of the feature as part of the + roadmap for a release. + + +**Promotion** + +[//]: # (Once all other items are completed, features.yaml should be updated to promote the feature) + +- [ ] [features.yaml](https://github.com/istio/enhancements/blob/master/features.yaml) updated for this feature