Plug in CA certificates#
About plugging in CA certificates#
Introduction#
You can plug in your own root, CA, and intermediate certificates and private key so Istiod and Citadel (if installed) use your CA certificate and private key to create workload certificates.
Note
If you haven’t already done so, learn about the Aspen Mesh certificate authorities (CAs) and the types of pods they support.
What happens if you don’t plug in CA certificates#
If you don’t plug in CA certificates, then:
Istiod creates a self-signed RSA root certificate (which it also uses as a CA certificate) and a private key and uses them to create workload certificates.
Citadel (if installed) won’t start.
When to plug in CA certificates#
Plug in CA certificates when any of the following is true:
Your organization’s security and compliance policies require the use of your centralized CA infrastructure as root for all issued certificates, including workload certificates created by Istiod and Citadel (if installed).
You’re using Citadel (for example, because you’re using Packet Inspector 1)
Note
It’s recommended that you plug in CA certificates when you first install Aspen Mesh in case you later need to install Citadel, which requires that you plug in CA certificates.
Required credential files#
To plug in CA certificates, you need the following credential files, which will be included in the Kubernetes secret referenced by Istiod (and Citadel, if installed) as the root CA credential to create workload certificates:
File |
Description |
---|---|
|
The CA certificate used by Istiod (and Citadel, if installed) to create workload certificates. This file can be the same certificate as |
|
The private key used by Istiod (and Citadel, if installed) to create workload certificates |
|
The certificate chain of trust that includes all intermediate certificates between the workloads and the root CA. This file should be empty if |
|
The root certificate that created |
Note
You may not use different filenames.
The type of each credential file can be either Rivest–Shamir–Adleman (RSA) or elliptic-curve cryptography (ECC).
Regardless of the types of the credential files, Istiod creates RSA workload certificates unless you enable ECC workload certificates for Istiod.
Citadel creates workload certificates whose type matches that of
ca-cert.pem
.
Plug in CA certificates and re-create workload certificates#
Plug in CA certificates#
Create a directory to hold the required credential files.
Change to the directory you created.
If the required credential files don’t already exist, create them.
If the
istio-system
namespace doesn’t exist, create it:$ kubectl create namespace istio-system
Use the required credential files to create a Kubernetes secret named
cacerts
in theistio-system
namespace:$ kubectl create secret generic cacerts --namespace istio-system \ --from-file=ca-cert.pem \ --from-file=ca-key.pem \ --from-file=root-cert.pem \ --from-file=cert-chain.pem
Is Aspen Mesh already installed?
Note
Answer no if you were directed to this page while performing a clean installation of Aspen Mesh.
Yes:
Go to step 7.
No:
Stop. Continue performing the clean installation of Aspen Mesh.
Restart the Istiod pods:
$ kubectl rollout restart deployment istiod --namespace istio-system
If Citadel is installed, restart the Citadel pods:
$ kubectl rollout restart deployment istio-citadel --namespace istio-system
Re-create all workload certificates managed by Istiod and Citadel#
In each namespace in which sidecar injection (either automatic or manual) is being used, restart all pods with sidecars:
$ kubectl delete pods --namespace <namespaceName> \ --selector security.istio.io/tlsMode=istio
If Citadel is installed, restart all off-mesh, on-cluster pods that are configured to use a service account’s Citadel workload certificate:
Example
$ kubectl rollout restart deployment <deploymentName> --namespace <namespaceName>
Change to the Aspen Mesh release directory.
Reconfigure the Istio ingress gateway:
$ helm upgrade istio-ingress manifests/charts/gateways/istio-ingress \ --namespace <ingressNamespaceName> \ --values aspen-mesh-override-values.yaml \ --wait
If you’re using the Istio egress gateway, reconfigure the Istio egress gateway:
$ helm upgrade istio-egress manifests/charts/gateways/istio-egress \ --namespace <egressNamespaceName> \ --values aspen-mesh-override-values.yaml