Service Mesh Certificate Injection PoC
========================================

Date: 2025-11-20
Cluster: https://api.hub.euw.container.mom:6443

Summary
-------
Successfully implemented a Proof of Concept for injecting certificates from a trustee secret
into an OpenShift Service Mesh (Istio) sidecar.

Components Deployed
------------------
1. Istio Control Plane (v1.27-latest) in istio-system namespace
2. Istio CNI in istio-cni namespace
3. Test application in cert-injection-poc namespace

Certificate Setup
----------------
- Generated self-signed certificate with OpenSSL
- Certificate Subject: CN=trustee-service, O=trustee-org
- Validity: Nov 20 2025 - Nov 20 2026
- Secret name: trustee-cert (in cert-injection-poc namespace)
- Contains: tls.crt and tls.key files

Configuration Method
-------------------
Used Istio annotations to mount the certificate in the sidecar:
  sidecar.istio.io/userVolume: '[{"name":"trustee-cert","secret":{"secretName":"trustee-cert"}}]'
  sidecar.istio.io/userVolumeMount: '[{"name":"trustee-cert","mountPath":"/etc/trustee-certs","readOnly":true}]'

Verification Results
-------------------
Certificate successfully mounted in both containers:

1. Istio-proxy sidecar:
   Location: /etc/trustee-certs/
   Files: tls.crt, tls.key

2. App container:
   Location: /etc/app-certs/
   Files: tls.crt, tls.key

Files Created
------------
- istio-control-plane.yaml - Istio control plane configuration
- istio-cni.yaml - Istio CNI configuration
- test-app-deployment.yaml - Test application with sidecar injection

Verification Commands
--------------------
# Check certificate in sidecar
oc exec -n cert-injection-poc <pod-name> -c istio-proxy -- ls -la /etc/trustee-certs/

# View certificate details
oc exec -n cert-injection-poc <pod-name> -c istio-proxy -- openssl x509 -in /etc/trustee-certs/tls.crt -noout -text

# Check pod status
oc get pods -n cert-injection-poc

# Verify sidecar injection
oc get pod <pod-name> -n cert-injection-poc -o jsonpath='{.spec.containers[*].name}'

Key Learnings
------------
1. Service Mesh v3 uses Sail operator and Istio directly (not SMCP/SMMR)
2. Istio CNI must be deployed for proper network configuration
3. Use sidecar.istio.io annotations to mount volumes in the sidecar
4. OpenShift requires non-root compatible images (used ubi9/httpd-24)
5. Enable sidecar injection with namespace label: istio-injection=enabled

Next Steps
----------
- Test certificate rotation
- Configure Envoy to use the injected certificate for mTLS
- Integrate with actual trustee service
- Set up monitoring and observability