It is possible to have several CAs within the same cluster. #153
Comments
|
I have a similar question related to having a CA for each mesh that we have in a cluster. The intent is too potential highly isolate some workloads. |
|
have the same question, is it possible to set multiple cluster issuers in istio-csr(using AWS PCA) ? |
|
Hey, thanks for raising this (and sorry it took a year to get a response 😭 ) We'd been looking into something like this internally at Venafi. There might be some scope for us to work on this. Our motivation is to enable istio-csr to be installed without having a CA configured (since currently the issuing CA has to be passed at container startup). That would enable users to install istio-csr alongside cert-manager without needing to configure a CA first. One thing we'd considered (but not in depth) was to allow the CA to be configured per-namespace, e.g. with a Kuber and I had spoken on K8s slack also, around being able to trust two CAs. That's definitely something we should capture too! |
Is it possible to have more than one CA within istio-csr? How do configure it?
The second question is how can I configure which CA my sidecar will get certificates through annotations or some declaration method? I need to configure the CA that each pod will use to communicate from pod to pod.
I'm using aws pca external issuer.
The text was updated successfully, but these errors were encountered: