Replacing Istio CA Certificate
Istio CA certificate is the most sensitive object in Istio. When enable multicluster shared control plane, the CA certificate got shared on multiple cluster. Once this certificate leak out to public, there is no way but replacing the old CA certificate with the new one.
Istio CA certificate consists of four components:
- Root Certificate
- Intermediate Certificate
- Intermediate Private Key
- CA bundle
This article will help you to replace all of the certificate with the new generated one. But please make it save!
- Kubernetes with Istio installed
- step & step-ca to generate certificate
Before replacing, we need to generate new root CA. we will using step certificate for that.
Istio have two secret object for CA certificate:
istio-ca-secretsecret in `istio-system namespace. This is the default secret that Istio used.
istio-systemnamespace. This will be used rather than
istio-ca-secretwhen enabling Istio multicluster feature.
This article will try using
- Backup and delete the old cacerts secret
When you start deleting, it is expected that Istio mesh will broken.
- Apply the new cacerts
- Rollout istio-system namespace to apply cacerts
- Check istio-ca-root-cert configmap in all namespace, make sure it contains new Root certificate configuration
istio-ca-root-cert is a secret created automatically by Istiod service in all Kubernetes namespace. This contain Root certificate that sidecar used (mounted to each sidecar).
- Rollout all Istio enabled namespace
Make sure all the service & component is listed & all configuration are sync. If the sidecar is not showing in the proxy-status, try to rollout again!
At this state, all component in Istio mesh is already get new certificate & configuration sync.