This document describes how to bring your own root certificate authority (CA) or intermediate CA into TSB to generate Istiod and workload certificates in a multi cluster Istio setup to achieve chain of trust.
When you start TSB (and thus Istio) as a demo or out of the box, the Istio instance will create its own self-signed certificate (i.e. its own root CA) to manage communication. This is convenient, but it all too commonly becomes a pain point for users who eventually start running Istio in multiple clusters. Because each Istio instance use their own root CA, they inadvertently create two islands with no trust, which leads to the clusters not being able to use secure communication.
In order to avoid this under multi-cluster Istio production setup, it is recommended that you create an intermediate signing certificate dedicated for each TSB control plane installation, per cluster. These intermediate certificates will be signed using your existing root CA private key, as well as to issue leaf certificates for the workloads deployed in the cluster. This is illustrated in the following image:
If you want to learn more about chain of trust you can check "Root Istio's trust in your existing PKI" blog post from Tetrate
Before you get started, make sure you
✓ Familiarize yourself with TSB concepts
✓ Familiarize yourself with the TSB installation process. You can update existing TSB installation by updating Control Plane CR or you can do fresh installation of TSB.
✓ Familiarize yourself with Istio CSR API
cert-manager and Istio CSR API will be used to request certificates from an external CA. After external CA authenticates and authorizes the workloads, issued certificates are provided in the response message.
cert-manager has an integration with Istio CSR called
istio-csr that implements gRPC Istio certificate service. The
istio-csr agent authenticates, authorizes and signs incoming certificate signing requests from Istio workloads, routing all certificate handling through the
cert-manager installed in the cluster.
The rest of the document will walk you through how to integrate TSB control plane with several different types of external CAs, depending on your use case.
📄️ Common Setup
This document describes the common setup required to proceed with the specific instructions for the external services under the External CA Integration document.
📄️ Vault PKI Integration
This document describes how to setup TSB and Vault so that Vault can be used as an External CA.