istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update docs for pluggin in CA certs (#8099) 

The new recommended approach is to generate the certs and to use intermediate certs for each cluster.
This commit is contained in:
Nathan Mittler 2020-09-16 17:39:21 -07:00 committed by GitHub
parent cc1a34f99c
commit b06ce95f96
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 526 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bin/init.sh
View File

@ -62,8 +62,9 @@ cp -a "${ISTIO_OUT}/release/istioctl-linux-amd64" /gobin/istioctl
popd > /dev/null
# Copy install/samples files over from Istio. These are needed by the tests.
rm -rf "${ISTIOIO_GO}/samples" "${ISTIOIO_GO}/tests/integration" "${ISTIOIO_GO}/manifests"
rm -rf "${ISTIOIO_GO}/samples" "${ISTIOIO_GO}/tools" "${ISTIOIO_GO}/tests/integration" "${ISTIOIO_GO}/manifests"
cp -a "${ISTIO_GO}/samples" "${ISTIOIO_GO}/samples"
cp -a "${ISTIO_GO}/tools" "${ISTIOIO_GO}/tools"
mkdir "${ISTIOIO_GO}/tests/integration/"
cp -a "${ISTIO_GO}/tests/integration/iop-integration-test-defaults.yaml" "${ISTIOIO_GO}/tests/integration/"
cp -a "${ISTIO_GO}/manifests" "${ISTIOIO_GO}/manifests"

398
content/en/docs/tasks/security/cert-management/plugin-ca-cert/ca-hierarchy.svg Normal file
View File

@ -0,0 +1,398 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
sodipodi:docname="ca-hierarchy.svg"
inkscape:version="1.0 (4035a4f, 2020-05-01)"
id="svg8"
version="1.1"
viewBox="0 0 297 210"
height="210mm"
width="297mm">
<defs
id="defs2">
<linearGradient
id="linearGradient1863"
inkscape:collect="always">
<stop
id="stop1859"
offset="0"
style="stop-color:#030000;stop-opacity:1;" />
<stop
id="stop1861"
offset="1"
style="stop-color:#030000;stop-opacity:0;" />
</linearGradient>
<rect
id="rect1855"
height="14.967094"
width="226.11002"
y="35.279578"
x="58.264757" />
<rect
id="rect1849"
height="18.708867"
width="63.610148"
y="33.67596"
x="183.88143" />
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0.0"
refX="0.0"
id="marker1664"
style="overflow:visible;"
inkscape:isstock="true">
<path
id="path1662"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) rotate(180) translate(12.5,0)" />
</marker>
<marker
inkscape:collect="always"
inkscape:isstock="true"
style="overflow:visible;"
id="Arrow1Lend"
refX="0.0"
refY="0.0"
orient="auto"
inkscape:stockid="Arrow1Lend">
<path
transform="scale(0.8) rotate(180) translate(12.5,0)"
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
id="path936" />
</marker>
<marker
inkscape:isstock="true"
style="overflow:visible"
id="marker1211"
refX="0.0"
refY="0.0"
orient="auto"
inkscape:stockid="Arrow1Lstart">
<path
transform="scale(0.8) translate(12.5,0)"
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
id="path1209" />
</marker>
<marker
inkscape:isstock="true"
style="overflow:visible"
id="Arrow1Lstart"
refX="0.0"
refY="0.0"
orient="auto"
inkscape:stockid="Arrow1Lstart">
<path
transform="scale(0.8) translate(12.5,0)"
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
id="path933" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0"
refX="0"
id="Arrow1Lend-5"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path936-6"
d="M 0,0 5,-5 -12.5,0 5,5 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="matrix(-0.8,0,0,-0.8,-10,0)" />
</marker>
<marker
inkscape:isstock="true"
style="overflow:visible"
id="marker1664-6"
refX="0"
refY="0"
orient="auto"
inkscape:stockid="Arrow1Lend">
<path
transform="matrix(-0.8,0,0,-0.8,-10,0)"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
d="M 0,0 5,-5 -12.5,0 5,5 Z"
id="path1662-8" />
</marker>
<linearGradient
gradientUnits="userSpaceOnUse"
y2="39.394534"
x2="126.30896"
y1="39.394534"
x1="58.611914"
id="linearGradient1865"
xlink:href="#linearGradient1863"
inkscape:collect="always" />
<rect
x="58.264755"
y="35.279579"
width="226.11002"
height="14.967094"
id="rect1855-0" />
<rect
x="58.264755"
y="35.279579"
width="226.11002"
height="14.967094"
id="rect1892" />
</defs>
<sodipodi:namedview
inkscape:window-maximized="0"
inkscape:window-y="23"
inkscape:window-x="0"
inkscape:window-height="927"
inkscape:window-width="1545"
inkscape:snap-global="true"
showgrid="false"
inkscape:document-rotation="0"
inkscape:current-layer="layer1"
inkscape:document-units="mm"
inkscape:cy="560"
inkscape:cx="670.84099"
inkscape:zoom="0.49497475"
inkscape:pageshadow="2"
inkscape:pageopacity="0.0"
borderopacity="1.0"
bordercolor="#666666"
pagecolor="#ffffff"
id="base" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="boxes"
id="layer2"
inkscape:groupmode="layer" />
<g
id="layer1"
inkscape:groupmode="layer"
inkscape:label="Layer 1">
<rect
y="55.795135"
x="14.630894"
height="128.43927"
width="123.63313"
id="rect10"
style="opacity:0.94;fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#000003;stroke-width:0.944222;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<text
id="text837"
y="67.886467"
x="17.105249"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
xml:space="preserve"><tspan
style="stroke-width:0.264583"
y="67.886467"
x="17.105249"
id="tspan835"
sodipodi:role="line">Cluster 1</tspan></text>
<g
transform="translate(-2.6458334)"
id="g1247">
<rect
style="opacity:0.94;fill:#ffccaa;fill-opacity:1;stroke:#0f627a;stroke-width:0.977224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
id="rect868"
width="87.687172"
height="17.662563"
x="29.388262"
y="84.445778" />
<text
id="text837-5"
y="95.881035"
x="34.537598"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
xml:space="preserve"><tspan
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Arial;-inkscape-font-specification:Arial;stroke-width:0.264583"
y="95.881035"
x="34.537598"
id="tspan835-7"
sodipodi:role="line">Intermediate CA</tspan></text>
</g>
<rect
style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
id="rect872-7"
width="71.093697"
height="20.312483"
x="35.298088"
y="137.68369" />
<rect
y="145.72864"
x="43.305431"
height="20.312483"
width="71.093697"
id="rect872-7-6"
style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<g
transform="translate(20.176418,35.079059)"
id="g881">
<rect
style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
id="rect872"
width="71.093697"
height="20.312483"
x="31.003265"
y="118.13313" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
x="41.159508"
y="130.96207"
id="text876"><tspan
sodipodi:role="line"
id="tspan874"
x="41.159508"
y="130.96207"
style="stroke-width:0.264583">Workload</tspan></text>
</g>
<path
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path1413"
d="m 70.244001,101.26983 0.267959,33.92308"
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.870527;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend)" />
<rect
style="opacity:0.94;fill:none;fill-opacity:1;fill-rule:evenodd;stroke:#000003;stroke-width:0.944221;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
id="rect10-0"
width="123.63313"
height="128.43927"
x="150.92998"
y="56.062397" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
x="222.19507"
y="68.153732"
id="text837-6"><tspan
sodipodi:role="line"
id="tspan835-3"
x="222.19507"
y="68.153732"
style="stroke-width:0.264583">Cluster 2</tspan></text>
<g
id="g1247-3"
transform="translate(133.65325,0.26725968)">
<rect
y="84.445778"
x="29.388262"
height="17.662563"
width="87.687172"
id="rect868-1"
style="opacity:0.94;fill:#ffccaa;fill-opacity:1;stroke:#0f627a;stroke-width:0.977224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
x="34.537598"
y="95.881035"
id="text837-5-1"><tspan
sodipodi:role="line"
id="tspan835-7-5"
x="34.537598"
y="95.881035"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Arial;-inkscape-font-specification:Arial;stroke-width:0.264583">Intermediate CA</tspan></text>
</g>
<rect
y="137.95096"
x="171.59717"
height="20.312483"
width="71.093697"
id="rect872-7-60"
style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<rect
style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
id="rect872-7-6-9"
width="71.093697"
height="20.312483"
x="179.60451"
y="145.99591" />
<g
id="g881-5"
transform="translate(156.4755,35.34632)">
<rect
y="118.13313"
x="31.003265"
height="20.312483"
width="71.093697"
id="rect872-6"
style="opacity:0.94;fill:#7ec8f8;fill-opacity:0.947368;stroke:#0f627a;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
<text
id="text876-2"
y="130.96207"
x="41.159508"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
xml:space="preserve"><tspan
style="stroke-width:0.264583"
y="130.96207"
x="41.159508"
id="tspan874-7"
sodipodi:role="line">Workload</tspan></text>
</g>
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.870527;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-5)"
d="m 206.54309,101.53709 0.26795,33.92308"
id="path1413-9"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0" />
<g
transform="translate(10.118636,-11.17697)"
id="g1658">
<rect
style="opacity:0.94;fill:#98e797;fill-opacity:1;stroke:#0f627a;stroke-width:0.81753;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
id="rect868-1-5"
width="57.378143"
height="18.891335"
x="104.67843"
y="21.557596" />
<text
id="text837-5-1-3"
y="34.141781"
x="112.5803"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
xml:space="preserve"><tspan
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Arial;-inkscape-font-specification:Arial;stroke-width:0.264583"
y="34.141781"
x="112.5803"
id="tspan835-7-5-3"
sodipodi:role="line">Root CA</tspan></text>
</g>
<path
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path1660"
d="M 142.18739,28.865109 71.628232,83.38809"
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker1664)" />
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#marker1664-6)"
d="m 142.18739,28.865109 64.67922,53.453905"
id="path1660-6"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0" />
<text
transform="translate(-6.4144687)"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:6.34999999999999964px;font-family:Arial;-inkscape-font-specification:Arial;white-space:pre;shape-inside:url(#rect1855);opacity:0.94;fill:#98e797;fill-opacity:1;stroke:url(#linearGradient1865);stroke-width:0.25;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;"
id="text1853"
xml:space="preserve"><tspan
x="58.265625"
y="40.999087"><tspan
style="font-size:6.35px;fill:none;stroke:#030000;stroke-width:0.25;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">Manually provision certs</tspan></tspan></text>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

115
content/en/docs/tasks/security/cert-management/plugin-ca-cert/index.md
View File

@ -1,6 +1,6 @@
---
title: Plugging in existing CA Certificates
description: Shows how system administrators can configure Istio's CA with an existing root certificate, signing certificate and key.
title: Plug in CA Certificates
description: Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key.
weight: 80
keywords: [security,certificates]
aliases:
@ -9,47 +9,98 @@ owner: istio/wg-security-maintainers
test: yes
---
This task shows how administrators can configure the Istio certificate authority with an existing root certificate, signing certificate and key.
This task shows how administrators can configure the Istio certificate authority (CA) with a root certificate,
signing certificate and key.
By default, Istio's CA generates a self-signed root certificate and key, and uses them to sign the workload certificates.
Istio's CA can also sign workload certificates using an administrator-specified certificate and key, and with an
administrator-specified root certificate. This task demonstrates how to plug such certificates and key into Istio's CA.
administrator-specified root certificate.
## Plugging in existing certificates and key
A root CA is used by all workloads within a mesh as the root of trust. Each Istio CA uses an intermediate CA
signing key and certificate, signed by the root CA. When multiple Istio CAs exist within a mesh, this establishes a
hierarchy of trust among the CAs.
Suppose we want to have Istio's CA use an existing signing (CA) certificate `ca-cert.pem` and key `ca-key.pem`.
Furthermore, the certificate `ca-cert.pem` is signed by the root certificate `root-cert.pem`.
We would like to use `root-cert.pem` as the root certificate for Istio workloads.
{{< image width="80%"
link="ca-hierarchy.svg"
caption="CA Hierarchy"
>}}
In the following example,
Istio CA's signing (CA) certificate (`ca-cert.pem`) is different from the root certificate (`root-cert.pem`),
so the workload cannot validate the workload certificates directly from the root certificate.
The workload needs a `cert-chain.pem` file to specify the chain of trust,
which should include the certificates of all the intermediate CAs between the workloads and the root CA.
In our example, it contains Istio CA's signing certificate, so `cert-chain.pem` is the same as `ca-cert.pem`.
Note that if your `ca-cert.pem` is the same as `root-cert.pem`, the `cert-chain.pem` file should be empty.
This task demonstrates how to generate and plug in the certificates and key for Istio's CA. These steps can be repeated
to provision certificates and keys for any number of Istio CAs.
These files are ready to use in the `samples/certs/` directory.
## Plug in certificates and key into the cluster
{{< tip >}}
The default Istio CA installation configures the location of certificates and keys based on the
predefined secret and file names used in the command below (i.e., secret named `cacerts`, root certificate
in a file named `root-cert.pem`, Istio CA's key in `ca-key.pem`, etc.).
You must use these specific secret and file names, or reconfigure Istio's CA when you deploy Istio.
For production cluster setup, it is a good practice to do the following on an offline machine with good
security protection. The root private key should be exposed to as few people and processes as possible.
{{< /tip >}}
The following steps plug in the certificates and key into a Kubernetes secret,
which will be read by Istio's CA:
1. Create a directory for holding certificates and keys:
{{< text bash >}}
$ mkdir -p certs
$ pushd certs
{{< /text >}}
1. Generate the root certificate and key:
{{< text bash >}}
$ make -f ../tools/certs/Makefile.selfsigned.mk root-ca
{{< /text >}}
This will generate the following files:
* `root-cert.pem`: the generated root certificate
* `root-key.pem`: the generated root key
* `root-ca.conf`: the configuration for `openssl` to generate the root certificate
* `root-cert.csr`: the generated CSR for the root certificate
1. Generate an intermediate certificate and key:
{{< text bash >}}
$ make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts
{{< /text >}}
This will generate the following files in a directory named `cluster1`:
* `ca-cert.pem`: the generated intermediate certificates
* `ca-key.pem`: the generated intermediate key
* `cert-chain.pem`: the generated certificate chain which is used by istiod
* `root-cert.pem`: the root certificate
* `intermediate.conf`: the configuration for `openssl` to generate the intermediate certificate
* `cluster-ca.csr`: the generated CSR for the intermediate certificate
{{< tip >}}
You can replace `cluster1` with a string of your choosing. For example, `make mycluster-certs` will
result in the creation of a directory called `mycluster`.
{{< /tip >}}
{{< tip >}}
To configure additional Istio CAs, you can repeat this step with different cluster/directory names.
{{< /tip >}}
If you are doing this on an offline machine, copy the generated directory to a machine with access to the
clusters.
1. Create a secret `cacerts` including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`:
{{< text bash >}}
$ kubectl create namespace istio-system
$ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \
--from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
--from-file=samples/certs/cert-chain.pem
$ kubectl create secret generic cacerts -n istio-system \
--from-file=cluster1/ca-cert.pem \
--from-file=cluster1/ca-key.pem \
--from-file=cluster1/root-cert.pem \
--from-file=cluster1/cert-chain.pem
{{< /text >}}
1. Return to the top-level directory of the Istio installation:
{{< text bash >}}
$ popd
{{< /text >}}
## Deploy Istio
1. Deploy Istio using the `demo` profile.
Istio's CA will read certificates and key from the secret-mount files.
@ -106,7 +157,7 @@ openssl command is expected.
1. Verify the root certificate is the same as the one specified by the administrator:
{{< text bash >}}
$ openssl x509 -in samples/certs/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
$ openssl x509 -in certs/cluster1/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
$ openssl x509 -in ./proxy-cert-3.pem -text -noout > /tmp/pod-root-cert.crt.txt
$ diff -s /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
Files /tmp/root-cert.crt.txt and /tmp/pod-root-cert.crt.txt are identical
@ -115,7 +166,7 @@ openssl command is expected.
1. Verify the CA certificate is the same as the one specified by the administrator:
{{< text bash >}}
$ openssl x509 -in samples/certs/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
$ openssl x509 -in certs/cluster1/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
$ openssl x509 -in ./proxy-cert-2.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
$ diff -s /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
Files /tmp/ca-cert.crt.txt and /tmp/pod-cert-chain-ca.crt.txt are identical
@ -124,13 +175,19 @@ openssl command is expected.
1. Verify the certificate chain from the root certificate to the workload certificate:
{{< text bash >}}
$ openssl verify -CAfile <(cat samples/certs/ca-cert.pem samples/certs/root-cert.pem) ./proxy-cert-1.pem
$ openssl verify -CAfile <(cat certs/cluster1/ca-cert.pem certs/cluster1/root-cert.pem) ./proxy-cert-1.pem
./proxy-cert-1.pem: OK
{{< /text >}}
## Cleanup
* To remove the secret `cacerts`, and the `foo` and `istio-system` namespaces:
* Remove the certificates, keys, and intermediate files from your local disk:
{{< text bash >}}
$ rm -rf certs
{{< /text >}}
* Remove the secret `cacerts`, and the `foo` and `istio-system` namespaces:
{{< text bash >}}
$ kubectl delete secret cacerts -n istio-system

41
content/en/docs/tasks/security/cert-management/plugin-ca-cert/snips.sh
View File

@ -20,14 +20,33 @@
# docs/tasks/security/cert-management/plugin-ca-cert/index.md
####################################################################################################
snip_plugging_in_existing_certificates_and_key_1() {
kubectl create namespace istio-system
kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \
--from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
--from-file=samples/certs/cert-chain.pem
snip_plug_in_certificates_and_key_into_the_cluster_1() {
mkdir -p certs
pushd certs
}
snip_plugging_in_existing_certificates_and_key_2() {
snip_plug_in_certificates_and_key_into_the_cluster_2() {
make -f ../tools/certs/Makefile.selfsigned.mk root-ca
}
snip_plug_in_certificates_and_key_into_the_cluster_3() {
make -f ../tools/certs/Makefile.selfsigned.mk cluster1-cacerts
}
snip_plug_in_certificates_and_key_into_the_cluster_4() {
kubectl create namespace istio-system
kubectl create secret generic cacerts -n istio-system \
--from-file=cluster1/ca-cert.pem \
--from-file=cluster1/ca-key.pem \
--from-file=cluster1/root-cert.pem \
--from-file=cluster1/cert-chain.pem
}
snip_plug_in_certificates_and_key_into_the_cluster_5() {
popd
}
snip_deploy_istio_1() {
istioctl install --set profile=demo
}
@ -59,7 +78,7 @@ awk 'BEGIN {counter=0;} /BEGIN CERT/{counter++} { print > "proxy-cert-" counter
}
snip_verifying_the_certificates_3() {
openssl x509 -in samples/certs/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
openssl x509 -in certs/cluster1/root-cert.pem -text -noout > /tmp/root-cert.crt.txt
openssl x509 -in ./proxy-cert-3.pem -text -noout > /tmp/pod-root-cert.crt.txt
diff -s /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
}
@ -69,7 +88,7 @@ Files /tmp/root-cert.crt.txt and /tmp/pod-root-cert.crt.txt are identical
ENDSNIP
snip_verifying_the_certificates_4() {
openssl x509 -in samples/certs/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
openssl x509 -in certs/cluster1/ca-cert.pem -text -noout > /tmp/ca-cert.crt.txt
openssl x509 -in ./proxy-cert-2.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
diff -s /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
}
@ -79,7 +98,7 @@ Files /tmp/ca-cert.crt.txt and /tmp/pod-cert-chain-ca.crt.txt are identical
ENDSNIP
snip_verifying_the_certificates_5() {
openssl verify -CAfile <(cat samples/certs/ca-cert.pem samples/certs/root-cert.pem) ./proxy-cert-1.pem
openssl verify -CAfile <(cat certs/cluster1/ca-cert.pem certs/cluster1/root-cert.pem) ./proxy-cert-1.pem
}
! read -r -d '' snip_verifying_the_certificates_5_out <<\ENDSNIP
@ -87,6 +106,10 @@ openssl verify -CAfile <(cat samples/certs/ca-cert.pem samples/certs/root-cert.p
ENDSNIP
snip_cleanup_1() {
rm -rf certs
}
snip_cleanup_2() {
kubectl delete secret cacerts -n istio-system
kubectl delete ns foo istio-system
}

10
content/en/docs/tasks/security/cert-management/plugin-ca-cert/test.sh
View File

@ -21,8 +21,13 @@ set -o pipefail
# @setup profile=none
snip_plugging_in_existing_certificates_and_key_1
echo y | snip_plugging_in_existing_certificates_and_key_2
snip_plug_in_certificates_and_key_into_the_cluster_1
snip_plug_in_certificates_and_key_into_the_cluster_2
snip_plug_in_certificates_and_key_into_the_cluster_3
snip_plug_in_certificates_and_key_into_the_cluster_4
snip_plug_in_certificates_and_key_into_the_cluster_5
echo y | snip_deploy_istio_1
_wait_for_deployment istio-system istiod
# create_ns_foo_with_httpbin_sleep
@ -55,3 +60,4 @@ _verify_same snip_verifying_the_certificates_5 "$snip_verifying_the_certificates
# @cleanup
set +e # ignore cleanup errors
snip_cleanup_1
snip_cleanup_2