This task shows how operators can plug existing certificate and key into Istio CA.
By default, the Istio CA generates self-signed CA certificate and key and uses them to sign the workload certificates. The Istio CA can also use the operator-specified certificate and key to sign workload certificates. This task demonstrates an example to plug certificate and key into the Istio CA.
Suppose we want to have Istio CA use the existing certificate
ca-cert.pem and key
ca-key.pem. Furthermore, the certificate
ca-cert.pem is signed by the root certificate
root-cert.pem, and we would like to use
root-cert.pem as the root certificate for Istio workloads.
In this example, because the Istio CA certificate (
ca-cert.pem) is not set as the workloads’ root certificate (
root-cert.pem), the workload cannot validate the workload certificates directly from the root certificate. The workload needs a
cert-chain.pem file to specify the chain of trust, which should include the certificates of all the intermediate CAs between the workloads and the root CA. In this example, it only contains the Istio CA certificate, so
cert-chain.pem is the same as
ca-cert.pem. Note that if your
ca-cert.pem is the same as
root-cert.pem, you can have an empty
Download the example files:
wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/ca-cert.pem wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/ca-key.pem wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/root-cert.pem wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/cert-chain.pem
The following steps enable plugging in the certificate and key into the Istio CA:
cacertincluding all the input files
kubectl create secret generic cacerts -n istio-system --from-file=/tmp/ca-cert.pem --from-file=/tmp/ca-key.pem \ --from-file=/tmp/root-cert.pem --from-file=/tmp/cert-chain.pem
kubectl apply -f install/kubernetes/istio-ca-plugin-certs.yaml
istio.default. The Istio CA will issue new certificates for the workloads.
kubectl delete secret istio.default
Note that if you are using different certificate/key file or secret names, you need to change corresponding arguments in
In this section, we verify that the new workload certificates and root certificates are propagated. This requires you have
openssl installed on your machine.
Deploy the bookinfo application following the instructions.
Retrieve the mounted certificates.
Get the pods:
kubectl get pods
NAME READY STATUS RESTARTS AGE details-v1-1520924117-48z17 2/2 Running 0 6m productpage-v1-560495357-jk1lz 2/2 Running 0 6m ratings-v1-734492171-rnr5l 2/2 Running 0 6m reviews-v1-874083890-f0qf0 2/2 Running 0 6m reviews-v2-1343845940-b34q5 2/2 Running 0 6m reviews-v3-1813607990-8ch52 2/2 Running 0 6m
In the following, we take the pod
ratings-v1-734492171-rnr5l as an example, and verify the mounted certificates. Run the following commands to retrieve the certificates mounted on the proxy:
kubectl exec -it ratings-v1-734492171-rnr5l -c istio-proxy -- /bin/cat /etc/certs/root-cert.pem > /tmp/pod-root-cert.pem
/tmp/pod-root-cert.pem should contain the root certificate specified by the operator.
kubectl exec -it ratings-v1-734492171-rnr5l -c istio-proxy -- /bin/cat /etc/certs/cert-chain.pem > /tmp/pod-cert-chain.pem
/tmp/pod-cert-chain.pem should contain the workload certificate and the CA certificate.
openssl x509 -in /tmp/root-cert.pem -text -noout > /tmp/root-cert.crt.txt openssl x509 -in /tmp/pod-root-cert.pem -text -noout > /tmp/pod-root-cert.crt.txt diff /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
tail /tmp/pod-cert-chain.pem -n 22 > /tmp/pod-cert-chain-ca.pem openssl x509 -in /tmp/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt openssl x509 -in /tmp/pod-cert-chain-ca.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt diff /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
Expect that the output to be empty.
head /tmp/pod-cert-chain.pem -n 18 > /tmp/pod-cert-chain-workload.pem openssl verify -CAfile <(cat /tmp/ca-cert.pem /tmp/root-cert.pem) /tmp/pod-cert-chain-workload.pem
Expect the following output:
To remove the secret
kubectl delete secret cacerts -n istio-system
To remove the Istio components:
kubectl delete -f install/kubernetes/istio-auth.yaml