Table of Contents
IssuedCertificates are used to issue SSL certificates to remote Kubernetes clusters from a central (out-of-cluster) Certificate Authority.
When an IssuedCertificate is created, a certificate is issued to a remote cluster by a central Certificate Authority via the following workflow:
1. The Certificate Issuer creates the IssuedCertificate resource on the remote cluster 2. The Certificate Signature Requesting Agent installed to the remote cluster generates a Certificate Signing Request and writes it to the status of the IssuedCertificate 3. Finally, the Certificate Issuer generates signed a certificate for the CSR and writes it back as Kubernetes Secret in the remote cluster.
Trust can therefore be established across clusters without requiring private keys to ever leave the node.
|hosts||string||repeated||A list of hostnames and IPs to generate a certificate for. This can also be set to the identity running the workload, e.g. a Kubernetes service account.
Generally for an Istio CA this will take the form
"cluster.local” may be replaced by the root of trust domain for the mesh.
|org||string||DEPRECATED: in favor of
|signingCertificateSecret||core.skv2.solo.io.ObjectRef||DEPRECATED: in favor of
|issuedCertificateSecret||core.skv2.solo.io.ObjectRef||The secret containing the SSL certificate to be generated for this IssuedCertificate (located in the Gloo Mesh agent's cluster). If nil, the sidecar agent stores the signing certificate in memory. (Enterprise only)|
|podBounceDirective||core.skv2.solo.io.ObjectRef||A reference to a PodBounceDirective specifying a list of Kubernetes pods to bounce (delete and cause a restart) when the certificate is issued.
Istio-controlled pods require restarting in order for Envoy proxies to pick up the newly issued certificate due to this issue.
This will include the control plane pods as well as any Pods which share a data plane with the target mesh.
|certOptions||certificates.mesh.gloo.solo.io.CommonCertOptions||Set of options to configure the intermediate certificate being generated|
|glooMeshCa||certificates.mesh.gloo.solo.io.RootCertificateAuthority||Gloo Mesh CA options|
|agentCa||certificates.mesh.gloo.solo.io.IntermediateCertificateAuthority||Agent CA options|
|rotationState||certificates.mesh.gloo.solo.io.CertificateRotationState||The current state of rotation, this value signals to the cert issuer how to construct the intermediary certs which the data-plane clusters receive|
The IssuedCertificate status is written by the CertificateRequesting agent.
|observedGeneration||int64||The most recent generation observed in the the IssuedCertificate metadata. If the
|error||string||Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully.|
|state||certificates.mesh.gloo.solo.io.IssuedCertificateStatus.State||The current state of the IssuedCertificate workflow, reported by the agent.|
|appliedGlooMeshCa||certificates.mesh.gloo.solo.io.RootCertificateAuthority||Gloo Mesh CA options|
|appliedAgentCa||certificates.mesh.gloo.solo.io.IntermediateCertificateAuthority||Agent CA options|
|observedRotationState||certificates.mesh.gloo.solo.io.CertificateRotationState||The rotation state as recorded by the issued cert agent. This is read by the networking reconciler to ensure it is looking at the correct iteration of the object.|
Set of options which represent the certificate authorities the management cluster can use to sign the intermediate certs.
Possible states in which an IssuedCertificate can exist.
|PENDING||0||The IssuedCertificate has yet to be picked up by the agent.|
|REQUESTED||1||The agent has created a local private key and a CertificateRequest for the IssuedCertificate. In this state, the agent is waiting for the Issuer to issue certificates for the CertificateRequest before proceeding.|
|ISSUED||2||The certificate has been issued. Any pods that require restarting will be restarted at this point.|
|FINISHED||3||The reply from the Issuer has been processed and the agent has placed the final certificate secret in the target location specified by the IssuedCertificate.|
|FAILED||4||Processing the certificate workflow failed.|