autocert icon indicating copy to clipboard operation
autocert copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Istio certs ?

Open costinm opened this issue 2 months ago • 0 comments

What would you like to be added

Few options:

  • expose the Istio CA gRPC interface, using the K8S JWT with istio-ca audience.
  • add an option to change the mount path for certs to the well-known path where istio-agent is looking for certs

Also it would be nice if the certs included the spiffe identity ( using a trust domain configured at install time), and maybe an option to restrict the DNS names to NAME.NAMESPACE.SUFFIX - where the suffix is specified at install time, namespace is the pod namespace - and name may be the only thing customized by the user (can default the the service account name for example).

Why this is needed

  • Good to have options - Istio does have an integration with CertManager and I know autocert has a signer for cert manager, but more direct integration is providing more choices for users.
  • current mechanism of arbitrary names is fine for users with OPA or strict access, but a more strict naming would work for everyone else.

costinm avatar Jun 14 '24 21:06 costinm