I’ve noticed the availability of Chiron. Are there any plans to support that workflow for mTLS certificates as well (e.g. use k8s own CA as a signing authority for workload proxies)?
It seems the only use case at the moment is istio’s service-2-service communication (unless I got it all wrong).
Chiron is used for signing control plane certificate and webhook certificate using k8s CA. Are you asking about using k8s CA to sign workload certificates? @leitang
The DNS certificates generated in the example Istio DNS Certificate Management task are for illustration purpose only and are not used in Istio. Hence their names: example1 and example2.
The control plane uses DNS certificate for various purposes (e.g., webhook connnections). If the control plane DNS certificate is issued by k8s CA, it is generated through the same code as that used by Istio DNS certificate management. The DNS certificates are not used by workload proxies.
can you please be more explicit. It looks like I am missing something. I have generated the DNS certificates as it is explained in the Istio DNS Certificate Management task, but I don’t see where are those certificates used. I have checked the endpoints of the istiod with openssl s_client but there I got a different cert. So I’m confused. Thank you.
The DNS certificates generated in the example Istio DNS Certificate Management task are for illustration purpose only and are not used in Istio. Hence their names: example1 and example2.
DNS certificates can be used for various purposes (e.g., webhook connections). If you do not have use cases to generate DNS certificates, you can skip the Istio DNS Certificate Management task.
Thank you @leitang . I know I can skip that task, but once it is there and it was presented as an advantage to have that possibility, I wanted to know how to use those DNS certificates. Right now I know how to generate them, but I still don’t know how/when to use them …