Istio SDS support on GKE - and key rotation

I have a GKE cluster with Istio add-on.

GKE version: 1.13.11-gke.5
Istio version: 1.1.16-gke.0

For Istio add-on on GKE, SDS profile is not installed - and there is no node agent running.

In that case how does Istio do key rotation? Appreciate a lot any pointers…


For Istio add-on. Citadel creates root certificate and root private key, and stores the cert and key into a Kubernetes secret istio-ca-secret. That istio-ca-secret is the source of truth.

Citadel periodically checks workload certificate, and rotates workload cert if the cert is about to expire. The workload cert is signed by the root cert.

In Istio 1.1 release, Citadel does not automatically rotate root cert. There is a script that rotates the root cert using the existing root private key.

We are working on supporting Citadel auto root cert rotation for 1.2+. @Oliver

1 Like