We want to plug in our own CA certificate as described at plugin-ca-cert.
However, we have an unusual requirement: when istiod starts, we’ll use an init-container to:
- generate a new CA private key,
- request a CA cert from our company’s root CA,
- and write them to an emptyDir for istiod to read from.
Is this ‘ephemeral CA cert’ approach supported?
I’m worried about what will happen after one or more of our istiod pods restart. The new istiod will get a new key and CA certificate. Proxy-to-istiod and proxy-to-proxy communications will then use a mixture of certificates signed by the old and new intermediate CAs.
This may break the chain of trust, depending on how/when Istio distributes the intermediate CA certificate. I read root-transition which suggests everything might automatically work, via the magic of Envoy hot restarts, but I’m not sure.
The reason I have this unusual requirement is that my company has tight controls on the use of internal CAs. However, I expect anyone plugging in a long-lived CA cert will have a similar problem when it eventually expires. Also note that I want to use an emptyDir to store my CA’s private key rather than a Secret because my company generally doesn’t treat Kubernetes Secrets as sufficiently secure for storing TLS keys.