Table of Contents
IssuedCertificates are used to issue SSL certificates to remote Kubernetes clusters from a central (out-of-cluster) Certificate Authority.
When an IssuedCertificate is created, a certificate is issued to a remote cluster by a central Certificate Authority via the following workflow: - The Certificate Issuer creates the IssuedCertificate resource on the remote cluster - The Certificate Signature Requesting Agent installed to the remote cluster generates a Certificate Signing Request and writes it to the status of the IssuedCertificate - Finally, the Certificate Issuer generates signed a certificate for the CSR and writes it back as Secret in the remote cluster.
Shared trust can therefore be established across clusters without requiring private keys to ever leave the node.
|hosts||string||repeated||A list of hostnames and IPs to generate a certificate for. This can also be set to the identity running the workload, e.g. a Kubernetes service account.
Generally for an Istio CA this will take the form
"cluster.local” may be replaced by the root of trust domain for the mesh.
|org||string||The organization for this certificate.|
|signingCertificateSecret||core.skv2.solo.io.ObjectRef||The secret containing the root SSL certificate used to sign this IssuedCertificate (located in the Certificate Issuer's cluster).|
|issuedCertificateSecret||core.skv2.solo.io.ObjectRef||The secret containing the SSL certificate to be generated for this IssuedCertificate (located in the Certificate Agent's cluster).|
|podsToBounce||IssuedCertificateSpec.PodSelector||repeated||A list of k8s pods to bounce (delete and cause a restart) when the certificate is issued. This will include the control plane pods as well as any pods which share a data plane with the target mesh.|
Pods that will be restarted.
|namespace||string||The namespace in which the pods live.|
|labels||IssuedCertificateSpec.PodSelector.LabelsEntry||repeated||Any labels shared by the pods.|
The IssuedCertificate status is written by the CertificateRequesting agent.
|observedGeneration||int64||The most recent generation observed in the the IssuedCertificate metadata. If the observedGeneration does not match generation, the Certificate Requesting Agent has not processed the most recent version of this IssuedCertificate.|
|error||string||Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully.|
|state||IssuedCertificateStatus.State||The current state of the IssuedCertificate workflow, reported by the agent.|
Possible states in which an IssuedCertificate can exist.
|PENDING||0||The IssuedCertificate has yet to be picked up by the agent.|
|REQUESTED||1||The agent has created a local private key and a CertificateRequest for the IssuedCertificate. In this state, the agent is waiting for the Issuer to issue certificates for the CertificateRequest before proceeding.|
|ISSUED||2||The certificate has been issued. Any pods that require restarting will be restarted at this point.|
|FINISHED||3||The reply from the Issuer has been processed and the agent has placed the final certificate secret in the target location specified by the IssuedCertificate.|
|FAILED||4||Processing the certificate workflow failed.|