istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.4/docs/tasks/security/plugin-ca-cert.html

32 lines
22 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Plugging in CA certificate and key"><meta name="og:title" content="Plugging in CA certificate and key"><meta name="og:image" content="/v0.4/img/logo.png"/><meta name="theme-color" content="#466BB0"/><meta name="description" content="This task shows how operators can plug existing certificate and key into Istio CA."><meta name="og:description" content="This task shows how operators can plug existing certificate and key into Istio CA."><title>Istioldie 0.4 / Plugging in CA certificate and key</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.4/feed.xml"><link rel="shortcut icon" href="/v0.4/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.4/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.4/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.4/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.4/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.4/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.4/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.4/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.4/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><link rel="stylesheet" href="/v0.4/css/all.css"><link rel="stylesheet" href="/v0.4/css/prism.css"></head><body class="language-unknown"> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation" style="z-index: 200000;"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.4/"><div> <img src="/v0.4/img/istio-logo.svg" alt="Istio Logo" height="54px"/> <span class="brand-name">Istioldie 0.4</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.4/about" >About</a></li><li><a href="/v0.4/blog/posts/2017/mixer-spof-myth.html" >Blog</a></li><li><a href="/v0.4/docs/welcome" class='current'>Docs</a></li><li><a href="/v0.4/help" >Help</a></li><li><a href="/v0.4/community" >Community</a></li><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control search-box" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.4/docs/welcome/">Welcome</a></li><li role="presentation" ><a href="/v0.4/docs/concepts/">Concepts</a></li><li role="presentation" ><a href="/v0.4/docs/setup/">Setup</a></li><li role="presentation" class='active'><a href="/v0.4/docs/tasks/">Tasks</a></li><li role="presentation" ><a href="/v0.4/docs/guides/">Guides</a></li><li role="presentation" ><a href="/v0.4/docs/reference/">Reference</a></li></ul></div></div></div><script src="/v0.4/js/navtree.min.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="sidebar"><li><h5 class='sidebar-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "index.md", ], url: "/docs/tasks/", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "policy-enforcement", "index.md", ], url: "/docs/tasks/policy-enforcement/", title: "Policy Enforcement", order: 20, overview: "Describes tasks that demonstrate policy enforcement features."}); docs.push({path: [ "policy-enforcement", "rate-limiting.md", ], url: "/docs/tasks/policy-enforcement/rate-limiting.html", title: "Enabling Rate Limits", order: 10, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "security", "basic-access-control.md", ], url: "/docs/tasks/security/basic-access-control.html", title: "Setting up Basic Access Control", order: 20, overview: "This task shows how to control access to a service using the Kubernetes labels."}); docs.push({path: [ "security", "index.md", ], url: "/docs/tasks/security/", title: "Security", order: 40, overview: "Describes tasks that help securing the service mesh traffic."}); docs.push({path: [ "security", "mutual-tls.md", ], url: "/docs/tasks/security/mutual-tls.html", title: "Testing Istio mutual TLS authentication", order: 10, overview: "This task shows you how to verify and test Istio's automatic mutual TLS authentication."}); docs.push({path: [ "security", "per-service-mtls.md", ], url: "/docs/tasks/security/per-service-mtls.html", title: "Per-service mutual TLS authentication enablement", order: 40, overview: "This task shows how to change mutual TLS authentication for a single service."}); docs.push({path: [ "security", "plugin-ca-cert.md", ], url: "/docs/tasks/security/plugin-ca-cert.html", title: "Plugging in CA certificate and key", order: 40, overview: "This task shows how operators can plug existing certificate and key into Istio CA."}); docs.push({path: [ "security", "secure-access-control.md", ], url: "/docs/tasks/security/secure-access-control.html", title: "Setting up Secure Access Control", order: 30, overview: "This task shows how to securely control access to a service using service accounts."}); docs.push({path: [ "telemetry", "distributed-tracing.md", ], url: "/docs/tasks/telemetry/distributed-tracing.html", title: "Distributed Tracing", order: 10, overview: "How to configure the proxies to send tracing requests to Zipkin or Jaeger"}); docs.push({path: [ "telemetry", "index.md", ], url: "/docs/tasks/telemetry/", title: "Metrics, Logs, and Traces", order: 30, overview: "Describes tasks that demonstrate how to collect telemetry information from the service mesh."}); docs.push({path: [ "telemetry", "metrics-logs.md", ], url: "/docs/tasks/telemetry/metrics-logs.html", title: "Collecting Metrics and Logs", order: 20, overview: "This task shows you how to configure Istio to collect metrics and logs."}); docs.push({path: [ "telemetry", "querying-metrics.md", ], url: "/docs/tasks/telemetry/querying-metrics.html", title: "Querying Metrics from Prometheus", order: 30, overview: "This task shows you how to query for Istio Metrics using Prometheus."}); docs.push({path: [ "telemetry", "servicegraph.md", ], url: "/docs/tasks/telemetry/servicegraph.html", title: "Generating a Service Graph", order: 50, overview: "This task shows you how to generate a graph of services within an Istio mesh."}); docs.push({path: [ "telemetry", "tcp-metrics.md", ], url: "/docs/tasks/telemetry/tcp-metrics.html", title: "Collecting Metrics for TCP services", order: 25, overview: "This task shows you how to configure Istio to collect metrics for TCP services."}); docs.push({path: [ "telemetry", "using-istio-dashboard.md", ], url: "/docs/tasks/telemetry/using-istio-dashboard.html", title: "Visualizing Metrics with Grafana", order: 40, overview: "This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic."}); docs.push({path: [ "traffic-management", "egress.md", ], url: "/docs/tasks/traffic-management/egress.html", title: "Control Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "traffic-management", "fault-injection.md", ], url: "/docs/tasks/traffic-management/fault-injection.html", title: "Fault Injection", order: 20, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "traffic-management", "index.md", ], url: "/docs/tasks/traffic-management/", title: "Traffic Management", order: 10, overview: "Describes tasks that demonstrate traffic routing features of Istio service mesh."}); docs.push({path: [ "traffic-management", "ingress.md", ], url: "/docs/tasks/traffic-management/ingress.html", title: "Istio Ingress Controller", order: 30, overview: "Describes how to configure the Istio ingress controller on Kubernetes."}); docs.push({path: [ "traffic-management", "request-routing.md", ], url: "/docs/tasks/traffic-management/request-routing.html", title: "Configuring Request Routing", order: 10, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "traffic-management", "request-timeouts.md", ], url: "/docs/tasks/traffic-management/request-timeouts.html", title: "Setting Request Timeouts", order: 28, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "traffic-management", "traffic-shifting.md", ], url: "/docs/tasks/traffic-management/traffic-shifting.html", title: "Traffic Shifting", order: 25, overview: "This task shows you how to migrate traffic from an old to new version of a service."}); genSideBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"> </a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Plugging in CA certificate and key</h1><p>This task shows how operators can plug existing certificate and key into Istio CA.</p><p>By default, the Istio CA generates self-signed CA certificate and key and uses them to sign the workload certificates. The Istio CA can also use the operator-specified certificate and key to sign workload certificates. This task demonstrates an example to plug certificate and key into the Istio CA.</p><h2 id="before-you-begin">Before you begin</h2><ul><li>Set up Istio on auth-enabled Kubernetes by following the instructions in the <a href="/v0.4/docs/setup/kubernetes/quick-start.html">quick start</a>. Note that authentication should be enabled at step 4 in the <a href="/v0.4/docs/setup/kubernetes/quick-start.html#installation-steps">installation steps</a>.</li></ul><h2 id="plugging-in-the-existing-certificate-and-key">Plugging in the existing certificate and key</h2><p>Suppose we want to have Istio CA use the existing certificate <code>ca-cert.pem</code> and key <code>ca-key.pem</code>. Furthermore, the certificate <code>ca-cert.pem</code> is signed by the root certificate <code>root-cert.pem</code>, and we would like to use <code>root-cert.pem</code> as the root certificate for Istio workloads.</p><p>In this example, because the Istio CA certificate (<code>ca-cert.pem</code>) is not set as the workloads root certificate (<code>root-cert.pem</code>), the workload cannot validate the workload certificates directly from the root certificate. The workload needs a <code>cert-chain.pem</code> file to specify the chain of trust, which should include the certificates of all the intermediate CAs between the workloads and the root CA. In this example, it only contains the Istio CA certificate, so <code>cert-chain.pem</code> is the same as <code>ca-cert.pem</code>. Note that if your <code>ca-cert.pem</code> is the same as <code>root-cert.pem</code>, you can have an empty <code>cert-chain.pem</code> file.</p><p>Download the example files:</p><pre><code class="language-bash">wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/ca-cert.pem
wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/ca-key.pem
wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/root-cert.pem
wget -P /tmp https://raw.githubusercontent.com/istio/istio/master/security/samples/plugin_ca_certs/cert-chain.pem
</code></pre><p>The following steps enable plugging in the certificate and key into the Istio CA:</p><ol><li>Create a secret <code>cacert</code> including all the input files <code>ca-cert.pem</code>, <code>ca-key.pem</code>, <code>root-cert.pem</code> and <code>cert-chain.pem</code>:<pre><code class="language-bash">kubectl create secret generic cacerts -n istio-system --from-file=/tmp/ca-cert.pem --from-file=/tmp/ca-key.pem \
--from-file=/tmp/root-cert.pem --from-file=/tmp/cert-chain.pem
</code></pre></li><li>Redeploy the Istio CA, which reads the certificates and key from the secret-mount files:<pre><code class="language-bash">kubectl apply -f install/kubernetes/istio-ca-plugin-certs.yaml
</code></pre></li><li>To make sure the workloads obtain the new certificates promptly, delete the secrets generated by Istio CA (named as istio.*). In this example, <code>istio.default</code>. The Istio CA will issue new certificates for the workloads.<pre><code class="language-bash">kubectl delete secret istio.default
</code></pre><p>Note that if you are using different certificate/key file or secret names, you need to change corresponding arguments in <code>istio-ca-plugin-certs.yaml</code>.</p></li></ol><h2 id="verifying-the-new-certificates">Verifying the new certificates</h2><p>In this section, we verify that the new workload certificates and root certificates are propagated. This requires you have <code>openssl</code> installed on your machine.</p><ol><li><p>Deploy the bookinfo application following the <a href="/v0.4/docs/guides/bookinfo.html">instructions</a>.</p></li><li><p>Retrieve the mounted certificates.</p><p>Get the pods:</p><pre><code class="language-bash">kubectl get pods
</code></pre><p>which produces:</p><pre><code class="language-bash">NAME READY STATUS RESTARTS AGE
details-v1-1520924117-48z17 2/2 Running 0 6m
productpage-v1-560495357-jk1lz 2/2 Running 0 6m
ratings-v1-734492171-rnr5l 2/2 Running 0 6m
reviews-v1-874083890-f0qf0 2/2 Running 0 6m
reviews-v2-1343845940-b34q5 2/2 Running 0 6m
reviews-v3-1813607990-8ch52 2/2 Running 0 6m
</code></pre><p>In the following, we take the pod <code>ratings-v1-734492171-rnr5l</code> as an example, and verify the mounted certificates. Run the following commands to retrieve the certificates mounted on the proxy:</p><pre><code class="language-bash">kubectl exec -it ratings-v1-734492171-rnr5l -c istio-proxy -- /bin/cat /etc/certs/root-cert.pem &gt; /tmp/pod-root-cert.pem
</code></pre><p>The file <code>/tmp/pod-root-cert.pem</code> should contain the root certificate specified by the operator.</p><pre><code class="language-bash">kubectl exec -it ratings-v1-734492171-rnr5l -c istio-proxy -- /bin/cat /etc/certs/cert-chain.pem &gt; /tmp/pod-cert-chain.pem
</code></pre><p>The file <code>/tmp/pod-cert-chain.pem</code> should contain the workload certificate and the CA certificate.</p></li><li>Verify the root certificate is the same as the one specified by operator:<pre><code class="language-bash">openssl x509 -in /tmp/root-cert.pem -text -noout &gt; /tmp/root-cert.crt.txt
openssl x509 -in /tmp/pod-root-cert.pem -text -noout &gt; /tmp/pod-root-cert.crt.txt
diff /tmp/root-cert.crt.txt /tmp/pod-root-cert.crt.txt
</code></pre></li><li>Verify that the CA certificate is the same as the one specified by operator:<pre><code class="language-bash">tail /tmp/pod-cert-chain.pem -n 22 &gt; /tmp/pod-cert-chain-ca.pem
openssl x509 -in /tmp/ca-cert.pem -text -noout &gt; /tmp/ca-cert.crt.txt
openssl x509 -in /tmp/pod-cert-chain-ca.pem -text -noout &gt; /tmp/pod-cert-chain-ca.crt.txt
diff /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt
</code></pre><p>Expect that the output to be empty.</p></li><li>Verify the certificate chain from the root certificate to the workload certificate:<pre><code class="language-bash">head /tmp/pod-cert-chain.pem -n 18 &gt; /tmp/pod-cert-chain-workload.pem
openssl verify -CAfile &lt;(cat /tmp/ca-cert.pem /tmp/root-cert.pem) /tmp/pod-cert-chain-workload.pem
</code></pre><p>Expect the following output:</p><pre><code class="language-bash">/tmp/pod-cert-chain-workload.pem: OK
</code></pre></li></ol><h2 id="cleanup">Cleanup</h2><ul><li><p>To remove the secret <code>cacerts</code>:</p><pre><code class="language-bash">kubectl delete secret cacerts -n istio-system
</code></pre></li><li><p>To remove the Istio components:</p><pre><code class="language-bash">kubectl delete -f install/kubernetes/istio-auth.yaml
</code></pre></li></ul><h2 id="further-reading">Further reading</h2><ul><li>Read the <a href="https://github.com/istio/istio/blob/master/security/cmd/istio_ca/main.go">Istio CA arguments</a>.</li><li>Read <a href="https://github.com/istio/istio/blob/master/security/samples/plugin_ca_certs">how the sample certificates and keys are generated</a>.</li></ul></div></div></div></div></div></div><script src="/v0.4/js/sidebar.min.js"></script><footer><div class="container"><div class="row"><div class="col-lg-2 col-md-2 col-sm-2"></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/docs/welcome">Docs</a></li><li><a href="/v0.4/docs/concepts">Concepts</a></li><li><a href="/v0.4/docs/setup">Setup</a></li><li><a href="/v0.4/docs/tasks">Tasks</a></li><li><a href="/v0.4/docs/guides">Guides</a></li><li><a href="/v0.4/docs/reference">Reference</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/help">Help</a></li><li><a href="/v0.4/faq">FAQ</a></li><li><a href="/v0.4/glossary">Glossary</a></li><li><a href="/v0.4/troubleshooting">Troubleshooting</a></li><li><a href="/v0.4/bugs">Report Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/security/plugin-ca-cert.md">Doc Bugs & Gaps</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/security/plugin-ca-cert.md">Edit This Page</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li> <a class="header" href="/v0.4/community">Community</a></li><li> <a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank" rel="noopener">User</a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank" rel="noopener">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank" rel="noopener">Twitter</a></li><li><a href="https://stackoverflow.com/questions/tagged/istio" target="_blank" rel="noopener">Stack Overflow</a></li><li><a href="https://github.com/istio/community" target="_blank" rel="noopener">GitHub</a></li><li><a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" target="_blank" rel="noopener">Working Groups</a></li></ul></div><div class="col-lg-1 col-md-1 col-sm-1"></div></div><div class="row"><p class="description small text-center"> Istio 0.4, Copyright &copy; 2017 Istio Authors<br> Archived on 20-Dec-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.form/4.2.1/jquery.form.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-visible/1.2.0/jquery.visible.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="/v0.4/js/common.min.js"></script> <script src="/v0.4/js/search.js"></script> <script src="/v0.4/js/prism.min.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink