-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: loading certs with tls.crt improvements #51475
Conversation
Also includes a more convenient way to deploy ztunnel selectively on nodes based on a 'ztunnel' label - this is very useful for canary and testing. Can be achieved by using 'affinity' - if controversial I'll keep just affinity, if not I'll add the docs for the option (and make a similar change to istio-cni)
|
||
The code path for file-based certificate loading can also handle multiple roots and changing the root CA. The process is relatively complex - since rotations are not frequent, restarting istiod can be acceptable. | ||
|
||
The file path - and the casecrets Secret - should be used with the standard K8S and CertManager naming conventions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/casecrets/cacerts
|
||
CA has many options, depending on the security requirements and the existing environment of the user. From easiest to most secure: | ||
|
||
1. Simplest: use the default istio-ca-secret. Append roots to the root-cert.pem key to support extra roots or for rotations. Doesn't work well with multiple clusters, but best for dev/testing. It is possible to use a tool to patch the root-cert.pem in each cluster with the merged roots - but if you have automation better use (2). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
istio-ca-secret
is not maintained by user, how can we append extra roots for rotations
|
||
## Istiod with external DNS certs | ||
|
||
Default is for Istiod to sign its own certificate, but volume mounts are also possible, using istio-tls and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is istio-tls
@@ -236,6 +236,8 @@ spec: | |||
expirationSeconds: 43200 | |||
path: istio-token | |||
# Optional: user-generated root | |||
# TODO: option to remove this mount - and use Secret directly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
@costinm: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-06-11. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Please provide a description of this PR:
This is WIP for fixing the tls.crt and adding more info about the chains - to get early feedback and
see if I'm missunderstanding something.