I am trying to build on the secure ingress docs and configure Istio to use a different CA for client verification than that which signed the server cert. Istio does not seem to support this.
Specifically, I have an ingress gateway with a server block like so:
...
- hosts:
- '*.foo.dev'
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: MUTUAL
credentialName: foo-tls
foo-tls is created by cert-manager and has the fields tls.crt, tls.key, and ca.crt. ca.crt is not the ca.crt I want to use for clients – it is the cert of the CA which signed tls.crt.
I figured, then, that I could put the alternate CA crt at foo-tls-cacert, as the docs indicate. However, even when I do that, istio still prefers the ca.crt in foo-tls. It is only once I delete the ca.crt from foo-tls that foo-tls-cacert is used and my client certs are accepted.
I would expect the more specific foo-tls-cacert to override the ca.crt in foo-tls. Is there a way to support a separate CA cert for ingress clients without mangling cert-manager’s output?