Add task on plugging existing key/cert into Istio CA (#695)

* Add task on plugging existing key/cert into Istio CA * Small fixes. * Small fix. * Add verification steps.
2017-11-08 15:34:29 -08:00 · 2017-11-08 15:34:29 -08:00 · 4a2931459f
parent e0d4759e24
commit 4a2931459f
1 changed files with 147 additions and 0 deletions
--- a/_docs/tasks/security/plugin-ca-cert.md
+++ b/_docs/tasks/security/plugin-ca-cert.md
@ -0,0 +1,147 @@
 ---
 title: Plugging in CA certificate and key
 overview: This task shows how operators can plug existing certificate and key into Istio CA.
 order: 40
 layout: docs
 type: markdown
 ---
 {% include home.html %}
 This task shows how operators can plug existing certificate and key into Istio CA.
 By default, the Istio CA generates self-signed CA certificate and key and uses them to sign the workload certificates.
 The Istio CA can also use the operator-specified certificate and key to sign workload certificates.
 This task demonstrates an example to plug certificate and key into the Istio CA.
 ## Before you begin
 * Set up Istio on auth-enabled Kubernetes by following the instructions in the
  [quick start]({{home}}/docs/setup/kubernetes/quick-start.html).
  Note that authentication should be enabled at step 4 in the
  [installation steps]({{home}}/docs/setup/kubernetes/quick-start.html#installation-steps).
 ## Plugging in the existing certificate and key
 Suppose we want to have Istio CA use the existing certificate `ca-cert.pem` and key `ca-key.pem`.
 Furthermore, the certificate `ca-cert.pem` is signed by the root certificate `root-cert.pem`,
 and we would like to use `root-cert.pem` as the root certificate for Istio workloads.
 In this example, because the Istio CA certificate (`ca-cert.pem`) is not set as the workloads' root certificate (`root-cert.pem`),
 the workload cannot validate the workload certificates directly from the root certificate.
 The workload needs a `cert-chain.pem` file to specify the chain of trust,
 which should include the certificates of all the intermediate CAs between the workloads and the root CA.
 In this example, it only contains the Istio CA certificate, so `cert-chain.pem` is the same as `ca-cert.pem`.
 Note that if your `ca-cert.pem` is the same as `root-cert.pem`, you can have an empty `cert-chain.pem` file.
 Download the example files:
 ```bash
 wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/ca-cert.pem
 wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/ca-key.pem
 wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/root-cert.pem
 wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/cert-chain.pem
 ```
 The following steps enable plugging in the certificate and key into the Istio CA:
 1. Create a secret `cacert` including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`:
   ```bash
   kubectl create secret generic cacerts -n istio-system --from-file=/tmp/ca-cert.pem --from-file=/tmp/ca-key.pem \
   --from-file=/tmp/root-cert.pem --from-file=/tmp/cert-chain.pem
   ```
 1. Redeploy the Istio CA, which reads the certificates and key from the secret-mount files:
   ```bash
   kubectl apply -f install/kubernetes/istio-ca-plugin-certs.yaml
   ```
 1. To make sure the workloads obtain the new certificates promptly,
   delete the secrets generated by Istio CA (named as istio.\*).
   In this example, `istio.default`. The Istio CA will issue new certificates for the workloads.
   ```bash
   kubectl delete secret istio.default
   ```
 Note that if you are using different certificate/key file or secret names,
 you need to change corresponding arguments in `istio-ca-plugin-certs.yaml`.
 ## Verifying the new certificates
 In this section, we verify that the new workload certificates and root certificates are propagated.
 This requires you have `openssl` installed on your machine.
 1. Deploy the bookinfo application following the [instructions]({{home}}/docs/guides/bookinfo.html).
 1. Retrieve the mounted certificates.
   Get the pods:
   ```bash
   kubectl get pods
   ```
   which produces:
   ```bash
   NAME                                        READY     STATUS    RESTARTS   AGE
   details-v1-1520924117-48z17                 2/2       Running   0          6m
   productpage-v1-560495357-jk1lz              2/2       Running   0          6m
   ratings-v1-734492171-rnr5l                  2/2       Running   0          6m
   reviews-v1-874083890-f0qf0                  2/2       Running   0          6m
   reviews-v2-1343845940-b34q5                 2/2       Running   0          6m
   reviews-v3-1813607990-8ch52                 2/2       Running   0          6m
   ```
   In the following, we take the pod `ratings-v1-734492171-rnr5l` as an example, and verify the mounted certificates.
   Run the following commands to retrieve the certificates mounted on the proxy:
   ```bash
   kubectl exec -it ratings-v1-734492171-rnr5l -c istio-proxy -- /bin/cat /etc/certs/root-cert.pem > /tmp/pod-root-cert.pem
   ```
   The file `/tmp/pod-root-cert.pem` should contain the root certificate specified by the operator.
   ```bash
   kubectl exec -it ratings-v1-734492171-rnr5l -c istio-proxy -- /bin/cat /etc/certs/cert-chain.pem > /tmp/pod-cert-chain.pem
   ```
   The file `/tmp/pod-cert-chain.pem` should contain the workload certificate and the CA certificate.
 1. Verify the root certificate is the same as the one specified by operator:
   ```bash
   openssl x509 -in /tmp/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
   openssl x509 -in /tmp/pod-root-cert.pem -text -noout > /tmp/pod-root-cert.crt.txt
   diff /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
   ```
 1. Verify that the CA certificate is the same as the one specified by operator:
   ```bash
   tail /tmp/pod-cert-chain.pem -n 22 > /tmp/pod-cert-chain-ca.pem
   openssl x509 -in /tmp/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
   openssl x509 -in /tmp/pod-cert-chain-ca.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
   diff /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
   ```
   Expect that the output to be empty.
 1. Verify the certificate chain from the root certificate to the workload certificate:
   ```bash
   head /tmp/pod-cert-chain.pem -n 18 > /tmp/pod-cert-chain-workload.pem
   openssl verify -CAfile <(cat /tmp/ca-cert.pem /tmp/root-cert.pem) /tmp/pod-cert-chain-workload.pem
   ```
   Expect the following output:
   ```bash
   /tmp/pod-cert-chain-workload.pem: OK
   ```
 ## Cleanup
 * To remove the secret `cacerts`:
  ```bash
  kubectl delete secret cacerts -n istio-system
  ```
 * To remove the Istio components:
  ```bash
  kubectl delete -f install/kubernetes/istio-auth.yaml
  ```
 ## Further reading
 * Read the [Istio CA arguments](https://github.com/istio/istio/blob/master/security/cmd/istio_ca/main.go).
 * Read [how the sample certificates and keys are generated](https://github.com/istio/istio/blob/master/security/samples/plugin_ca_certs).