Provision a certificate to an application through a sidecar (#6554)

* Provision a certificate to an application through a sidecar * Revisions based on the review comments * Move the document location * Revise install command based on the review comments * Make the blog more concise * Explain the use case * Revised based on comments * Revise based on review comments * Revised based on the review comments * Revise based on review comments * Revise based on review comments * Revise based on review comments * Revise based on review comments * Revise based on review comments
2020-03-25 23:44:00 +08:00 · 2020-03-25 23:44:00 +08:00 · 3182bba545
parent 8dffa0c468
commit 3182bba545
1 changed files with 50 additions and 0 deletions
--- a/content/en/blog/2020/proxy-cert/index.md
+++ b/content/en/blog/2020/proxy-cert/index.md
@ -0,0 +1,50 @@
+---
+title: Provision a certificate and key for an application without sidecars
+description: A mechanism to acquire and share an application certificate and key through mounted files.
+publishdate: 2020-03-25
+attribution: Lei Tang (Google)
+keywords: [certificate,sidecar]
+target_release: 1.5
+---
+
+{{< boilerplate experimental-feature-warning >}}
+
+Istio sidecars obtain their certificates using
+the secret discovery service.
+A service in the service mesh may not need (or want) an Envoy sidecar
+to handle its traffic. In this case, the service will need
+to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services.
+
+For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be
+deployed only to provision the private key and certificates through
+the CSR flow from the CA and then share the certificate with the service
+through a mounted file in `tmpfs`.
+We have used Prometheus as our example application for provisioning
+a certificate using this mechanism.
+
+In the example application (i.e., Prometheus), a sidecar is added to the
+Prometheus deployment by setting the flag `.Values.prometheus.provisionPrometheusCert`
+to `true` (this flag is set to true by default in an Istio installation).
+This deployed sidecar will then request and share a
+certificate with Prometheus.
+
+The key and certificate provisioned for the example application
+are mounted in the directory `/etc/istio-certs/`.
+We can list the key and certificate provisioned for the application by
+running the following command:
+
+{{< text bash >}}
+$ kubectl exec -it `kubectl get pod -l app=prometheus -n istio-system -o jsonpath='{.items[0].metadata.name}'` -c prometheus -n istio-system -- ls -la /etc/istio-certs/
+{{< /text >}}
+
+The output from the above command should include non-empty key and certificate files, similar to the following:
+
+{{< text plain >}}
+-rwxr-xr-x    1 root     root          2209 Feb 25 13:06 cert-chain.pem
+-rwxr-xr-x    1 root     root          1679 Feb 25 13:06 key.pem
+-rwxr-xr-x    1 root     root          1054 Feb 25 13:06 root-cert.pem
+{{< /text >}}
+
+If you want to use this mechanism to provision a certificate
+for your own application, take a look at our
+[Prometheus example application]({{< github_blob >}}/manifests/istio-telemetry/prometheus/templates/deployment.yaml) and simply follow the same pattern.