Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio certs ? #256

Open
costinm opened this issue Jun 14, 2024 · 0 comments
Open

Istio certs ? #256

costinm opened this issue Jun 14, 2024 · 0 comments
Assignees
@hslatman
Labels
enhancement New feature or request needs triage Waiting for discussion / prioritization by team

Comments

@costinm
Copy link

costinm commented Jun 14, 2024

What would you like to be added

Few options:

  • expose the Istio CA gRPC interface, using the K8S JWT with istio-ca audience.
  • add an option to change the mount path for certs to the well-known path where istio-agent is looking for certs

Also it would be nice if the certs included the spiffe identity ( using a trust domain configured at install time),
and maybe an option to restrict the DNS names to NAME.NAMESPACE.SUFFIX - where the suffix is specified at install
time, namespace is the pod namespace - and name may be the only thing customized by the user (can default
the the service account name for example).

Why this is needed

  • Good to have options - Istio does have an integration with CertManager and I know autocert has a signer for cert manager, but more direct integration is providing more choices for users.
  • current mechanism of arbitrary names is fine for users with OPA or strict access, but a more strict naming would work for
    everyone else.
@costinm costinm added enhancement New feature or request needs triage Waiting for discussion / prioritization by team labels Jun 14, 2024
@hslatman hslatman assigned dopey and hslatman and unassigned dopey Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hslatman hslatman

Labels
enhancement New feature or request needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@costinm @hslatman @dopey