Hey folks,
I’ve noticed the availability of Chiron. Are there any plans to support that workflow for mTLS certificates as well (e.g. use k8s own CA as a signing authority for workload proxies)?
It seems the only use case at the moment is istio’s service-2-service communication (unless I got it all wrong).
Thanks
Chiron is used for signing control plane certificate and webhook certificate using k8s CA. Are you asking about using k8s CA to sign workload certificates? @leitang
Using k8s CA as a signing authority for workload proxies is not planned for Istio 1.5, but may be planned after 1.5 (no concrete timeline yet).
Indeed that’s what I was asking.
Thanks for the update.
Is there any documentation on using Chiron?
We are using Istio 1.7, is this implemented?
“Using k8s CA as a signing authority for workload proxies.”
Istio 1.7 release notes (https://istio.io/latest/news/releases/1.7.x/announcing-1.7/) does not mention the support of using k8s CA as a signing authority for workload proxies. CC @Oliver @shankgan for the planing of using k8s CA as a signing authority for workload proxies.
how these DNS certificates are used? Who is using them?
The DNS certificates generated in the example Istio DNS Certificate Management task are for illustration purpose only and are not used in Istio. Hence their names: example1 and example2.
The control plane uses DNS certificate for various purposes (e.g., webhook connnections). If the control plane DNS certificate is issued by k8s CA, it is generated through the same code as that used by Istio DNS certificate management. The DNS certificates are not used by workload proxies.
Thank you @leitang ! Can you give an example how the control plane is using those? or where can I read more about that?
An example of the control plane using DNS certs is that the control plane uses a DNS certificate for its webhook connections.
Are these DNS certificates relevant now when the control plane is a monolith? Galley, Pilot, Citadel are in the same process.
When the control plane is a monolith, the control plane still needs a DNS certificate.
can you please be more explicit. It looks like I am missing something. I have generated the DNS certificates as it is explained in the Istio DNS Certificate Management task, but I don’t see where are those certificates used. I have checked the endpoints of the istiod with openssl s_client but there I got a different cert. So I’m confused. Thank you.
The DNS certificates generated in the example Istio DNS Certificate Management task are for illustration purpose only and are not used in Istio. Hence their names: example1 and example2.
DNS certificates can be used for various purposes (e.g., webhook connections). If you do not have use cases to generate DNS certificates, you can skip the Istio DNS Certificate Management task.
Thank you @leitang . I know I can skip that task, but once it is there and it was presented as an advantage to have that possibility, I wanted to know how to use those DNS certificates. Right now I know how to generate them, but I still don’t know how/when to use them …