Run node_agent on premise to get workload CSR

Dear community,

I’ve been working on node_agent with env setup as onprem to get signed certs for Envoy workload. With the assumption of Istio security mTLS design online documentation, the Citadel (not running in k8s) is supposed to grant a workload CSR request from node_agent. What I experienced is that with latest istio security release, the node_agent is sending a server CA CSR to Citadel not a workload CSR.

May I know if it works by design and why is that?

|2019-01-31T09:17:01.159077Z|info|pickfirstBalancer: HandleSubConnStateChange: 0xc00022e060, READY|
|---|---|---|
|2019-01-31T09:17:01.269913Z|info|Sending CSR (retrial #0) michaelbi ...|

The signed certs from Citadel is something like

                 00:ed
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Alternative Name:
                DNS:nodeagent.marathon.containerip.dcos.thisdcos.directory

that should be worklaod CSR. @leitang could you help look into that?

Hi Michael,
Can you share your steps to reproduce the certificate issue? Meanwhile, the guide in https://istio.io/docs/tasks/security/auth-sds/#service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds will enable service-to-service mTLS and generate certificates through SDS for workloads. With this guide, you may dump the certificate generated to see if it is as expected.