mirror of https://github.com/istio/istio.io.git
51 lines
2.3 KiB
Markdown
51 lines
2.3 KiB
Markdown
---
|
|
title: Provision a certificate and key for an application without sidecars
|
|
description: A mechanism to acquire and share an application certificate and key through mounted files.
|
|
publishdate: 2020-03-25
|
|
attribution: Lei Tang (Google)
|
|
keywords: [certificate,sidecar]
|
|
target_release: 1.5
|
|
---
|
|
|
|
{{< boilerplate experimental-feature-warning >}}
|
|
|
|
Istio sidecars obtain their certificates using
|
|
the secret discovery service.
|
|
A service in the service mesh may not need (or want) an Envoy sidecar
|
|
to handle its traffic. In this case, the service will need
|
|
to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services.
|
|
|
|
For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be
|
|
deployed only to provision the private key and certificates through
|
|
the CSR flow from the CA and then share the certificate with the service
|
|
through a mounted file in `tmpfs`.
|
|
We have used Prometheus as our example application for provisioning
|
|
a certificate using this mechanism.
|
|
|
|
In the example application (i.e., Prometheus), a sidecar is added to the
|
|
Prometheus deployment by setting the flag `.Values.prometheus.provisionPrometheusCert`
|
|
to `true` (this flag is set to true by default in an Istio installation).
|
|
This deployed sidecar will then request and share a
|
|
certificate with Prometheus.
|
|
|
|
The key and certificate provisioned for the example application
|
|
are mounted in the directory `/etc/istio-certs/`.
|
|
We can list the key and certificate provisioned for the application by
|
|
running the following command:
|
|
|
|
{{< text bash >}}
|
|
$ kubectl exec -it `kubectl get pod -l app=prometheus -n istio-system -o jsonpath='{.items[0].metadata.name}'` -c prometheus -n istio-system -- ls -la /etc/istio-certs/
|
|
{{< /text >}}
|
|
|
|
The output from the above command should include non-empty key and certificate files, similar to the following:
|
|
|
|
{{< text plain >}}
|
|
-rwxr-xr-x 1 root root 2209 Feb 25 13:06 cert-chain.pem
|
|
-rwxr-xr-x 1 root root 1679 Feb 25 13:06 key.pem
|
|
-rwxr-xr-x 1 root root 1054 Feb 25 13:06 root-cert.pem
|
|
{{< /text >}}
|
|
|
|
If you want to use this mechanism to provision a certificate
|
|
for your own application, take a look at our
|
|
[Prometheus example application]({{< github_blob >}}/manifests/istio-telemetry/prometheus/templates/deployment.yaml) and simply follow the same pattern.
|