Blog for Istio DNS certificate management (#5287)

* Blog for Istio DNS certificate management * Change the wording * Add an explanation for the architecture * Revise the wording * Revisions based on review comments * Fix a typo
2019-11-08 08:41:52 -08:00 · 2019-11-08 08:41:52 -08:00 · 48d1799347
parent b0cdd6f222
commit 48d1799347
2 changed files with 31 additions and 0 deletions
--- a/content/en/blog/2019/dns-cert/architecture.png
+++ b/content/en/blog/2019/dns-cert/architecture.png
--- a/content/en/blog/2019/dns-cert/index.md
+++ b/content/en/blog/2019/dns-cert/index.md
@ -0,0 +1,31 @@
+---
+title: Istio DNS certificate management
+description: Provision and manage DNS certificates in Istio.
+publishdate: 2019-11-08
+attribution: Lei Tang (Google)
+keywords: [security, kubernetes, certificates, DNS]
+target_release: 1.4
+---
+
+By default, Citadel manages the DNS certificates of the Istio control plane.
+Citadel is a large component that maintains its own private signing key, and acts as a Certificate Authority (CA).
+
+New in Istio 1.4, we introduce a feature to securely provision and manage DNS certificates
+signed by the Kubernetes CA, which has the following advantages.
+
+* Lighter weight DNS certificate management with no dependency on Citadel.
+
+* Unlike Citadel, this feature doesn't maintain a private signing key, which enhances security.
+
+* Simplified root certificate distribution to TLS clients.
+Clients no longer need to wait for Citadel to generate and distribute its CA certificate.
+
+The following diagram shows the architecture of provisioning and managing DNS certificates in Istio.
+Chiron is the component provisioning and managing DNS certificates in Istio.
+
+{{< image width="50%"
+    link="./architecture.png"
+    caption="The architecture of provisioning and managing DNS certificates in Istio"
+    >}}
+
+To try this new feature, refer to the [DNS certificate management task](/docs/tasks/security/dns-cert).