in 1.4, citadel would write the certs to secrets (and apparently to /etc/certs in istio-proxy of a given pod), so you could view the cert to see the principal, the expiration, etc. with 1.5, certs are no longer written to secrets or to /etc/certs, so is there somewhere I can view the cert?
The certificate can be viewed through the openssl s_client command. The following example command retrieves the certificate of an example service httpbin (the details can be found in Istio / Plug in CA Certificates).
$ kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items…metadata.name}) -c istio-proxy -n foo – openssl s_client -showcerts -connect httpbin.foo:8000 > httpbin-proxy-cert.txt
I think it’s in the config dump as well?
this is perfect, thanks!
what’s the config dump?
edit:
found istioctl proxy-config command, but I don’t see anything that immediately looks like it would provide a dump of the certificate. is there a specific command you know of?
https://github.com/istio/istio/wiki/Troubleshooting-Istio can get the raw config dump
istioctl proxy-config secret
will get this as well