Istio mesh expansion 1.5


I am currently migrating Istio 1.4 cluster to 1.5. We are using mesh expansion to host certain databases on baremetal machines. I am hitting a roadblock on the documentation here:

and cannot seem to find information on how to generate production certs for the VM. Is there documentation available on how to generate certs for the VM given clean kubernetes installation with fresh istio 1.5 installation? Neither the documentation linked or “Plugging in external CA” it links to seem to miss this.

The documentation states “There are many tools and procedures for managing certificates for VMs - Istio requirement is that the VM will get a certificate with an Istio-compatible SPIFEE SAN, with the correct trust domain, namespace and service account.”

Examples of such tools and command-line options would be greatly appreciated.

1 Like


I’m stuck at exactly the same stage as @mkoppanen, we where using meshExpansion before 1.5 and now we have to migrate.

In 1.4 the documentation also had it’s flaws (regarding mtls, controlPlaneSecurity and missing destination rules) but at least it was precise in getting the certificates set up.

Actually we saw it as quite beneficial, that each namespace had it’s own certificates. From an infrastructure automation point of view that made absolutely sense => I can grant the read access for the certs to the external VM and only this VM can fetch the certs to get the meshExpansion set up (clean process, access limited to one namespace, no certs flying around in Terraform scripts or Git repos)

Now the process has changed, only one central CA and no information how this should look like in a prod environment, just the sample with the static certs.

Is there no other way than externalize the CA? The docs are very poor in that regard and the expansion feature is, at least for me, in an unusable state.