About the Aspen Mesh CAs#

Introduction#

Before working with certificates and the certificate authorities (CAs) in Aspen Mesh, it helps to understand the types of pods the CAs support and the function each CA performs.

Types of supported pods#

The Aspen Mesh CAs support (manage workload certificates for) the following types of pods:

Pod type

Definition

Off-mesh, on-cluster non-gateway pod

A pod that:
- Is not part of an Istio gateway
- Has an application container
- Does not have an Istio proxy (Envoy) container

On-mesh non-gateway pod

A pod that:
- Is not part of an Istio gateway
- Has an application container
- Has an Istio proxy (Envoy) container that acts as a sidecar

Istio gateway pod

A pod that:
- Is part of an Istio gateway
- Does not have an application container
- Has an Istio proxy (Envoy) container that does not act as a sidecar
- Has an on-mesh interface and an off-mesh interface, each of which has its own certificate

Example: Types of supported pods#

This is an example of a Kubernetes cluster with one instance of each type of pod that’s supported by the Aspen Mesh CAs:

../../_images/example-types-of-supported-pods.svg

The Aspen Mesh CAs#

There are two CAs in Aspen Mesh:

CA

Function

Istiod

Manages (creates, signs, and rotates) workload certificates for the following on-mesh items:
- On-mesh non-gateway pods (those with a sidecar)
- The on-mesh interfaces of Istio gateway pods

Citadel

If installed and other conditions are met, manages (creates, signs, and rotates) workload certificates for the following off-mesh items:
- Off-mesh, on-cluster non-gateway pods (those without a sidecar)
- The off-mesh interfaces of Istio gateway pods