Run node_agent on premise to get workload CSR


Dear community,

I’ve been working on node_agent with env setup as onprem to get signed certs for Envoy workload. With the assumption of Istio security mTLS design online documentation, the Citadel (not running in k8s) is supposed to grant a workload CSR request from node_agent. What I experienced is that with latest istio security release, the node_agent is sending a server CA CSR to Citadel not a workload CSR.

May I know if it works by design and why is that?

|2019-01-31T09:17:01.159077Z|info|pickfirstBalancer: HandleSubConnStateChange: 0xc00022e060, READY|
|2019-01-31T09:17:01.269913Z|info|Sending CSR (retrial #0) michaelbi ...|

The signed certs from Citadel is something like

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Basic Constraints: critical
            X509v3 Subject Alternative Name: