Machine identity lifecycle in an Istio service mesh This operation only requires a change to the Issuer configuration and issuer that the mesh is configured to use – the rest is all handled by cert-manager.īy using cert-manager as the single tool for managing certificates in the cluster, operators are able to have complete visibility of the machine identities with a single pane of glass, for auditing, policy and observability purposes (and if that sounds useful, check out our Jetstack Secure service – it’s free to get started). This means that swapping out an issuer, say to use a different CA provider, is fairly trivial. It’s also simple enough to build on cert-manager and develop your own external issuer if you’ve a more bespoke requirement.Ī further benefit of using cert-manager is its centralised API and consistent interface. There are internal issuers core to the project, including HashiCorp Vault, and a fast-growing set of External Issuers that should cover many bases, including cloud provider PKI services. The project and wider ecosystem has a wide choice of public and private CA providers available for certificate signing. You can use cert-manager with Istio today to secure ingress using the Istio Gateway ( guide), but up until now it’s not been straightforward to use for issuance and renewal of workload certificates.Ĭert-manager was always built to be CA-agnostic and enable integration with both public and private CAs. Why use cert-manager?Ĭert-manager is commonly used to secure ingresses, in conjunction with an Ingress controller (NGINX, for example) and a public CA such as Let’s Encrypt. We’ve gone deeper into Istio OIDC Authentication here. These limitations can be problematic for larger enterprises where there are requirements for using particular CAs, auditing and visibility of these signed certificates, as well as the headaches that come with changing the Certificate Authority already used in production. This imposes limitations on how and where your certificates get signed. When it comes to managing certificates, service meshes typically ship with a limited number of Certificate Authority (CA) choices, those being either self signed, perhaps Vault, and sometimes an integration with a cloud provider solution.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |