Bring your own Istio CAs with AWS
For more information about Istio certificates, see the Istio CA overview.
About this approach
AWS Private CA is a managed CA that you can use to your secure apps and devices with private TLS certificates. In this setup, you use the AWS Private CA to generate and store your root CA and subordinate CAs that you use to generate Istio intermediate CAs for your workload clusters. To manage the lifecycle of Istio intermediate CA certificates, you also install cert-manager. Cert-manager is a Kubernetes controller that helps you automate the process of obtaining and renewing certificates from various PKI providers, such as AWS Private CA, Gloo Cloud CA, or Vault.
With this approach, you get the following benefits:
- Secure storage of root CA certificates and keys.
- AWS subordinate CAs that serve as an additional security layer for your root CA.
- Automatic Istio intermediate CA certificates and renewals with cert-manager to make sure they are derived from the same root, which enables workload communication across clusters.
- The possibility to reuse this architecture for other certificates, such as the Gloo relay certificates.
The following image shows the components that you set up as part of this approach and how they work together to obtain Istio intermediate CA certificates.
- You use the managed AWS Private Certificate Authority to create the root CA certificate and private key.
- The private root CA key is then used to create a certificate and private key for the AWS subordinate CA.
- To generate an Istio intermediate CA certificate, you create a Certificate custom resource in the workload cluster. The Certificate is a cert-manager resource and includes all the details about the intermediate CA certificate that you want to create, such as the expiration date or the algorithm you want to use for the private key. The Certificate resource uses the AWS Private CA issuer custom resource to connect to the cert-manager and the AWS Private CA issuer plug-in in the
- Cert-manager uses the AWS Private CA issuer plug-in to send a certificate signing request to the AWS Private CA.
- The plug-in uses a service account and AWS IAM role to authenticate with the AWS Private CA.
- Once authenticated, the certificate signing request is forwarded to the AWS subordinate CA.
- The AWS subordinate verifies the request, and signs and issues an Istio intermediate CA certificate. The certificate is returned to the AWS Private CA issuer plug-in and cert-manager instance in the workload cluster.
- Cert-manager stores the private key and intermediate certificate in the
cacertsKubernetes secret in the
- Workloads in the service mesh send a certificate signing request to the Istio control plane istiod to receive a leaf certificate.
- Istiod verifies the request, and uses the private intermediate CA key from the
cacertsKubernetes secret to sign and issue a leaf certificate.
- The leaf certificate is returned to the workload.
- The sidecar proxies of each workload use the leaf certificate to securely communicate with other workloads in the service mesh by using mutual TLS (mTLS).
Check out this blog for more information about how to set up AWS Private CA issuer and cert-manager for your Istio intermediate CA certificates.