Get Istio CA in 1.5

tx19980520 · May 1, 2020, 8:53am

Before 1.5, we can get CA in secret like istio.default, we can check the value of SAN and others.
Now in 1.5, Istio will not write CA in the secret rather than use grpc. So how can I get the CA?

Shubham · May 1, 2020, 12:14pm

Hi @tx19980520
am i understanding right that you want to see Certificates in istio1.5 previously which are stored in secrets.

tx19980520 · May 1, 2020, 1:20pm

yes! it is stored in the istio.default secret maybe

Shubham · May 1, 2020, 2:47pm

From istio1.5 we use SDS (by default) for worload certificate. Not File Mount which we used in prior istio1.5. see this upgrade notes:

The key and certifiactes are only in Envoy memory today. Istio agent monitors the certs and rotate them by pushing new SDS responses to Envoy.
You can see it by running this command.
kubectl exec <pod> -c istio-proxy -- openssl s_client -alpn istio -connect <service:port>

or also in the proxy config_dump endpoint, the dynamic secrets are dumped at the bottom.

tx19980520 · May 2, 2020, 3:40am

Very helpful! Thanks for your command!

JimmyChen · May 14, 2020, 7:35pm

As @Shubham pointed out, from 1.5 SDS is used by default. You could use openssl to check the certificates.

Topic		Replies	Views
Question about istio-ca-secret stored as k8 secret Security	4	2174	May 14, 2020
How to deal with Istio Root CA Cert available as a k8s secret? Security	1	546	January 30, 2021
Is it possible to examine the mtls certificate in istio 1.5 Security	5	1446	March 10, 2020
Plugging in a new (ephemeral) CA certificate Security	7	1446	July 9, 2020
Plugging in existing CA Certificates in istio1.5 Security	6	1118	April 7, 2020

Get Istio CA in 1.5

Related Topics