It is possible to have several CAs within the same cluster. #153
Comments
|
I have a similar question related to having a CA for each mesh that we have in a cluster. The intent is too potential highly isolate some workloads. |
|
have the same question, is it possible to set multiple cluster issuers in istio-csr(using AWS PCA) ? |
|
Hey, thanks for raising this (and sorry it took a year to get a response 😭 ) We'd been looking into something like this internally at Venafi. There might be some scope for us to work on this. Our motivation is to enable istio-csr to be installed without having a CA configured (since currently the issuing CA has to be passed at container startup). That would enable users to install istio-csr alongside cert-manager without needing to configure a CA first. One thing we'd considered (but not in depth) was to allow the CA to be configured per-namespace, e.g. with a Kuber and I had spoken on K8s slack also, around being able to trust two CAs. That's definitely something we should capture too! |
This would be great (for me at least). One other area that having support for multiple CAs would be great for is having a separate CA for the listener interface, and for the actual Istio certs. Currently I have a separate per-namespace intermediary CA, which I use for server auth for anything that requires it. When deploying Istio and istio-csr, I'd like to be able to use a separate Istio-only CA for Istio mesh services. I may be interested in filing a PR for this feature, if a PR would be accepted for this. |
Is it possible to have more than one CA within istio-csr? How do configure it?
The second question is how can I configure which CA my sidecar will get certificates through annotations or some declaration method? I need to configure the CA that each pod will use to communicate from pod to pod.
I'm using aws pca external issuer.
The text was updated successfully, but these errors were encountered: