You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is it possible to have more than one CA within istio-csr? How do configure it?
The second question is how can I configure which CA my sidecar will get certificates through annotations or some declaration method? I need to configure the CA that each pod will use to communicate from pod to pod.
I'm using aws pca external issuer.
The text was updated successfully, but these errors were encountered:
Hey, thanks for raising this (and sorry it took a year to get a response 😭 )
We'd been looking into something like this internally at Venafi. There might be some scope for us to work on this. Our motivation is to enable istio-csr to be installed without having a CA configured (since currently the issuing CA has to be passed at container startup). That would enable users to install istio-csr alongside cert-manager without needing to configure a CA first.
One thing we'd considered (but not in depth) was to allow the CA to be configured per-namespace, e.g. with a IstioCSRNamespaceBinding resource. Would that solve the problems here, or is per-pod a requirement?
Kuber and I had spoken on K8s slack also, around being able to trust two CAs. That's definitely something we should capture too!
Is it possible to have more than one CA within istio-csr? How do configure it?
The second question is how can I configure which CA my sidecar will get certificates through annotations or some declaration method? I need to configure the CA that each pod will use to communicate from pod to pod.
I'm using aws pca external issuer.
The text was updated successfully, but these errors were encountered: