istio_ca
Istio Certificate Authority (CA).
istio_ca [flags]
Flags | Description |
---|---|
--append-dns-names | Append DNS names to the certificates for webhook services. |
--cert-chain <string> | Path to the certificate chain file. (default ``) |
--citadel-storage-namespace <string> | Namespace where the Citadel pod is running. Will not be used if explicit file or other storage mechanism is specified. (default `istio-system`) |
--ctrlz_address <string> | The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`) |
--ctrlz_port <uint16> | The IP port to use for the ControlZ introspection facility (default `9876`) |
--custom-dns-names <string> | The list of account.namespace:customdns names, separated by comma. (default ``) |
--enable-profiling | Enabling profiling when monitoring Citadel. |
--experimental-dual-use | Enable dual-use mode. Generates certificates with a CommonName identical to the SAN. |
--grpc-host-identities <string> | The list of hostnames for istio ca server, separated by comma. (default `istio-ca,istio-citadel`) |
--grpc-port <int> | The port number for Citadel GRPC server. If unspecified, Citadel will not serve GRPC requests. (default `8060`) |
--key-size <int> | Size of generated private key. (default `2048`) |
--kube-config <string> | Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``) |
--listened-namespaces <string> | Select the namespaces for the Citadel to listen to, separated by comma. If unspecified, Citadel tries to use the ${NAMESPACE} environment variable. If neither is set, Citadel listens to all namespaces. (default ``) |
--liveness-probe-interval <duration> | Interval of updating file for the liveness probe. (default `0s`) |
--liveness-probe-path <string> | Path to the file for the liveness probe. (default ``) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--max-workload-cert-ttl <duration> | The max TTL of issued workload certificates. (default `2160h0m0s`) |
--monitoring-port <int> | The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring. (default `15014`) |
--org <string> | Organization for the certificate. (default ``) |
--pkcs8-keys | Whether to generate PKCS#8 private keys. |
--probe-check-interval <duration> | Interval of checking the liveness of the CA. (default `30s`) |
--read-signing-cert-only | When set, Citadel only reads the self-signed signing cert and key from Kubernetes secret without generating one (if not exist). This flag avoids racing condition between multiple Citadels generating self-signed key and cert. Please make sure one and only one Citadel instance has this flag set to false. |
--requested-ca-cert-ttl <duration> | The requested TTL for the CA certificate. (default `8760h0m0s`) |
--root-cert <string> | Path to the root certificate file. (default ``) |
--sds-enabled | Whether SDS is enabled. |
--self-signed-ca | Indicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored. |
--server-only | When set, Citadel only serves as a server without writing the Kubernetes secrets. |
--sign-ca-certs | Whether Citadel signs certificates for other CAs. |
--signing-cert <string> | Path to the CA signing certificate file. (default ``) |
--signing-key <string> | Path to the CA signing key file. (default ``) |
--trust-domain <string> | The domain serves to identify the system with SPIFFE. (default ``) |
--upstream-ca-address <string> | The IP:port address of the upstream CA. When set, the CA will rely on the upstream Citadel to provision its own certificate. (default ``) |
--workload-cert-grace-period-ratio <float32> | The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default `0.5`) |
--workload-cert-ttl <duration> | The TTL of issued workload certificates. (default `2160h0m0s`) |
istio_ca probe
Check the liveness or readiness of a locally-running server
istio_ca probe [flags]
Flags | Description |
---|---|
--ctrlz_address <string> | The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`) |
--ctrlz_port <uint16> | The IP port to use for the ControlZ introspection facility (default `9876`) |
--interval <duration> | Duration used for checking the target file's last modified time. (default `0s`) |
--log_as_json | Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``) |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> | The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--probe-path <string> | Path of the file for checking the availability. (default ``) |
istio_ca version
Prints out build version information
istio_ca version [flags]
Flags | Shorthand | Description |
---|---|---|
--ctrlz_address <string> | The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`) | |
--ctrlz_port <uint16> | The IP port to use for the ControlZ introspection facility (default `9876`) | |
--log_as_json | Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> | Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``) | |
--log_output_level <string> | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> | The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> | The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> | The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> | The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> | Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> | The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--output <string> | -o | One of 'yaml' or 'json'. (default ``) |
--short | -s | Use --short=false to generate full version information |
Environment variables
These environment variables affect the behavior of theistio_ca
command.Variable Name | Type | Default Value | Description |
---|---|---|---|
CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR | Boolean | true | If true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval. |
CITADEL_ENABLE_NAMESPACES_BY_DEFAULT | Boolean | true | Determines whether unlabeled namespaces should be targeted by this Citadel instance |
CITADEL_SELF_SIGNED_CA_CERT_TTL | Time Duration | 87600h0m0s | The TTL of self-signed CA root certificate. |
CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL | Time Duration | 1h0m0s | The interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes. |
CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILE | Integer | 20 | Grace period percentile for self-signed root cert. |
CITADEL_WORKLOAD_CERT_MIN_GRACE_PERIOD | Time Duration | 10m0s | The minimum workload certificate rotation grace period. |
JWT_POLICY | String | third-party-jwt | The JWT validation policy. |
NAMESPACE | String |
|
Exported metrics
Metric Name | Type | Description |
---|---|---|
citadel_secret_controller_csr_err_count | Sum | The number of errors occurred when creating the CSR. |
citadel_secret_controller_csr_sign_err_count | Sum | The number of errors occurred when signing the CSR. |
citadel_secret_controller_secret_deleted_cert_count | Sum | The number of certificates recreated due to secret deletion (service account still exists). |
citadel_secret_controller_svc_acc_created_cert_count | Sum | The number of certificates created due to service account creation. |
citadel_secret_controller_svc_acc_deleted_cert_count | Sum | The number of certificates deleted due to service account deletion. |
citadel_server_authentication_failure_count | Sum | The number of authentication failures. |
citadel_server_csr_count | Sum | The number of CSRs received by Citadel server. |
citadel_server_csr_parsing_err_count | Sum | The number of errors occurred when parsing the CSR. |
citadel_server_csr_sign_err_count | Sum | The number of errors occurred when signing the CSR. |
citadel_server_id_extraction_err_count | Sum | The number of errors occurred when extracting the ID from CSR. |
citadel_server_root_cert_expiry_timestamp | LastValue | The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error. |
citadel_server_success_cert_issuance_count | Sum | The number of certificates issuances that have succeeded. |
istio_build | LastValue | Istio component build info |