This project will no longer be maintained by Intel.
Intel will not provide or guarantee development of or support for this project, including but not limited to, maintenance, bug fixes, new releases or updates.
Patches to this project are no longer accepted by Intel.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the com munity, please create your own fork of the project .
Intermediate CA rotation is supported in upstream. We are making this project obsolete.
This feature is supported in upstream (istio/istio#31522). It is disabled by default in Istio. To utilize this feature please enable it through environment variable AUTO_RELOAD_PLUGIN_CERTS. This avoids restarting istiod when new Intermediate CA is introduced. Istiod will monitor the CA files and automatically loads the certs when it notice the changes. Root CA rotation is not yet supported in upstream as well. If you would like to introduce new Root CA, restart istiod and all workloads.
This is a controller for rotating Istio intermediate CA (root CA rotation will be supported in the future). See https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/ for information about the process.
- Create a new intermediate CA which is based on current root CA.
- Install a NewCA CR with a known name which points to the new intermediate CA secret.
- Controller checks if intermediate CA certificate is changed. It installs the new CA cert and key as a plugin-in CA and restarts istiod. Then workload certificates will be propagated to workloads. Controller will not rotate certs if root cert is changed.
- Controller reports errors and conditions back in the Status field of the NewCA object.
Future work (If root CA has been changed):
- Create a combined CA secret (old and new CA certificates together) and install it. Wait until it has propagated to the workloads. The combined certitifate means that the workloads will be able to authenticate mTLS connections whether or not the other end of the connection has a ceritificate already signed by the new CA key.
- When all workloads have updated workload certs, the CA secret is updated to contain only the new intermediate certificate.
# Build the container
make docker-build IMG=istio-ca-rotation-controller
# Tag and push it to the registry
docker tag istio-ca-rotation-controller <registry-name>/<tag>
make docker-push IMG=<registry-name>/<tag>
# Deploy it to the cluster
make deploy IMG=<registry-name>/<tag>
# Create certs according to instructions in Istio docs:
# Below scripts are available from istio-1.8.0
cd <istio-dir>
# It will generate root-ca
make -f tools/certs/Makefile.selfsigned.mk root-ca
# It will generate intermediate certs based on root-ca
make -f tools/certs/Makefile.selfsigned.mk intermediate1-cacerts
# It will generate another intermediate certs based on above root-ca
make -f tools/certs/Makefile.selfsigned.mk intermediate2-cacerts
# Assuming that cluster should have intermediate1 certs already applied in the system. We are going to rotate intermediate2 certs.
kubectl create secret generic new-secret -n istio-system --from-file=intermediate2/ca-cert.pem --from-file=intermediate2/ca-key.pem --from-file=intermediate2/root-cert.pem --from-file=intermediate2/cert-chain.pem
# Install the NewCA object
kubectl apply -f config/samples/istiocarotation_v1_newca.yaml