Get Istio CA in 1.5

Before 1.5, we can get CA in secret like istio.default, we can check the value of SAN and others.
Now in 1.5, Istio will not write CA in the secret rather than use grpc. So how can I get the CA?

Hi @tx19980520
am i understanding right that you want to see Certificates in istio1.5 previously which are stored in secrets.

yes! it is stored in the istio.default secret maybe

From istio1.5 we use SDS (by default) for worload certificate. Not File Mount which we used in prior istio1.5. see this upgrade notes:

The key and certifiactes are only in Envoy memory today. Istio agent monitors the certs and rotate them by pushing new SDS responses to Envoy.
You can see it by running this command.
kubectl exec <pod> -c istio-proxy -- openssl s_client -alpn istio -connect <service:port>

or also in the proxy config_dump endpoint, the dynamic secrets are dumped at the bottom.

1 Like

Very helpful! Thanks for your command!

As @Shubham pointed out, from 1.5 SDS is used by default. You could use openssl to check the certificates.