I’ve been working on node_agent with env setup as onprem to get signed certs for Envoy workload. With the assumption of Istio security mTLS design online documentation, the Citadel (not running in k8s) is supposed to grant a workload CSR request from node_agent. What I experienced is that with latest istio security release, the node_agent is sending a server CA CSR to Citadel not a workload CSR.
May I know if it works by design and why is that?
|2019-01-31T09:17:01.159077Z|info|pickfirstBalancer: HandleSubConnStateChange: 0xc00022e060, READY| |---|---|---| |2019-01-31T09:17:01.269913Z|info|Sending CSR (retrial #0) michaelbi ...|
The signed certs from Citadel is something like
00:ed Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: DNS:nodeagent.marathon.containerip.dcos.thisdcos.directory