I am trying to build on the secure ingress docs and configure Istio to use a different CA for client verification than that which signed the server cert. Istio does not seem to support this.
Specifically, I have an ingress gateway with a server block like so:
... - hosts: - '*.foo.dev' port: name: https number: 443 protocol: HTTPS tls: mode: MUTUAL credentialName: foo-tls
foo-tls is created by
cert-manager and has the fields
ca.crt is not the
ca.crt I want to use for clients – it is the cert of the CA which signed
I figured, then, that I could put the alternate CA crt at
foo-tls-cacert, as the docs indicate. However, even when I do that, istio still prefers the
foo-tls. It is only once I delete the
foo-tls-cacert is used and my client certs are accepted.
I would expect the more specific
foo-tls-cacert to override the
foo-tls. Is there a way to support a separate CA cert for ingress clients without mangling cert-manager’s output?