AKS icon indicating copy to clipboard operation
AKS copied to clipboard

Published 20 hours ago verified publisher icon Azure

CRL support for AKS with Istio-based service mesh add-on and Plug-in CA certificates

Open zap-user opened this issue 8 months ago • 1 comments

Hello Folks,

We have an AKS cluster which is running an Istio-based service mesh add on with Plug-in CA custom certificates where Istio acts as an Intermediate CA which is used to sign workload certificates within the mesh. mTLS and workload identity are working as expected using these certificates. The certificates include a CRL distribution point (CDP) url pointing to a valid CRL endpoint.

We want to enable CRL-based revocation checks. According to the official document from Istio regarding CRL supporthttps://docs.google.com/document/d/13LNbJnLHe_prlOg7sPr77PjLiIuGj452/edit?tab=t.0 in order for CRL to be abled, it needs to be created and mapped as a secret.

Question

  • Can the AKS Istio add-on support automatically fetching CRLs from CDP urls or do we need to manually download and mount the CRLs as secrets?
  • If the CRL endpoint is configured would it cause any problems with the existing AKS deployment, are there any limitations?
  • Does Istio support CRL checks for both for downstream/upstream certificates?

zap-user avatar Mar 24 '25 13:03 zap-user

@azure/aks-traffic would you be able to assist?

microsoft-github-policy-service[bot] avatar Mar 25 '25 14:03 microsoft-github-policy-service[bot]

Action required from @aritraghosh, @julia-yin, @AllenWen-at-Azure

microsoft-github-policy-service[bot] avatar Mar 30 '25 18:03 microsoft-github-policy-service[bot]

Hi @zap-user, Thanks for opening an issue. I would like to better understand your request.

Currently, Istio does not support Certificate Revocation Lists (CRLs) when using either a plugged-in CA or Istio’s self-signed CA. This feature is under development in OSS Istio but is still in the early design phase, with no ETA at this moment. 

That said, the document you linked refers to a different scenario. It discusses providing the caCRL for ingress scenarios, which is already supported. You can find more information here . All the questions you asked are valid but pertain to the first scenario and not the latter.

Which scenario are you interested in?

nilekhc avatar Apr 03 '25 19:04 nilekhc

This issue will now be closed because it hasn't had any activity for 7 days after stale. @zap-user feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.

microsoft-github-policy-service[bot] avatar Apr 18 '25 05:04 microsoft-github-policy-service[bot]