►
From YouTube: Using ECC Working Certificates
Description
#IstioCon2021
Presented at IstioCon 2021 by Jacob Delgado.
There are numerous environmental variables that can be used to control the behavior of Istio. Environmental variables in Istio are considered experimental and there are no guarantees they won’t be removed in future versions of Istio.
In this talk, we will explore a few related to certificates used for inter-workload communication within your service mesh:
Some of the pilot-agent environmental variables related to certificates
How to toggle them during installation using istioctl and helm
A
A
Before
we
begin,
we
should
talk
about
various
use
cases
and
why
this
feature
was
initially
developed.
So
there
are,
there
are
certain
environments
where
all
certificates
that
are
used
within
the
system
require
ecc
certificates
prior
to
staying
1.6.
There
was
no
support
for
this,
and,
as
of
istio
1.6
and
above
there
is
a
limited
support
for
this
using
environmental
variables.
A
This
is
done
so
that
mtls
communication,
as
it
is
done
inside
curtis
side
code
communication,
can
use
ecc
certificates.
It
is.
It
is
worthy
to
know,
though,
that
until
about
a
month
ago,
in
order
to
use
this
capability,
you
had
to
plug
in
a
custom
ca
certificate
that
also
used
ecc
cryptography
using
ecdsaap256
in
order
to
utilize
this
feature,
as
of
sda1.7.7
and
higher
1.8.2
and
higher
and
1.9
that's
zero
and
higher.
That
restriction
is
no
longer
in
place
and
the
bug
was
fixed.
A
So
let
me
also
start
out
with
a
disclaimer
environmental
variables
and
their
use
are
considered
experimental
within
the
istio
community,
there's
no
guarantee
that
they
will
not
be
deprecated
in
a
future
release
use
at
your
own
discretion.
A
Now,
while
I
will
be
talking
about
ecc,
cryptography
or
ecc
workload
certificates
in
this
talk,
I
will
also
talk
about
the
migration
path
that
I
am
currently
working
on
and
will
propose
for
future
versions.
So,
in
order
to
do
this,
though,
people
in
order
to
enable
this
feature,
users
must
set
the
ecc
signature,
algorithm
environmental
variable,
onside,
current
injection
to
ecdsa
for
use
by
pilot
agent.
A
A
For
helm,
things
are
a
bit
different.
It
is
a
standard
operating
procedure
using
helm
that
you
do
not
modify
the
existing
chart,
but
you
create
a
value
overrides
file
and
in
this
value
overrides
file,
you
will
again
add
the
mesh
config
default,
config
proxy
metadata
and
the
key
value
pair
of
ecc
signature,
algorithm
ecdsa
to
it,
and
then,
when
you
install
or
upgrade,
you
will
append
the
dash
dash
values
flag
and
pass
in
the
values
overrides
file
that
is
specified
on
the
screen.
A
A
So
once
you
have
deployed
istio
and
have
set
this
environmental
variable,
it
is
a
good
practice
to
make
sure
that
you
inspect
your
workload
certificates
and
that
you've
enabled
this.
This
functionality
correctly
seoctl
provides
various
subcommands
that
allow
you
to
inspect
the
certificate
that
is
being
served
over
sds
with
proxy
dash
config
secret,
and
then
you
specify
the
pod
and
the
pod
name:
output
it
to
json
and
then
using
some
commonly
available
tools
like
jq
and
base64
and
openssl
you
can.
A
A
So,
given
that
this
is
an
environmental
variable
and
I
disclosed
earlier
that
environmental
variables
are
considered
experimental,
there
is
an
initiative
for
istio
1.10,
which
will
be
released
roughly
in
two
and
a
half
months
or
so
from
now
to
have
this
feature
be
included
as
mesh
config
in
mesh
config
as
an
alpha
feature.
A
So
this
will
also
allow
us
to
have
a
migration
path
where,
for
at
least
istio
1.10
and
probably
1.11,
this
environmental
variable,
environmental
variable
will
be
supported
and
then,
after
which
we
will
announce.
Probably
the
deprecation
of
this
environmental
variable
and
choose
this.
So
hopefully,
this
will
give
you
enough
time
to
adopt
the
the
preferred
method,
which
is
using
the
istio
api
instead
of
environmental
variables.
A
So
it's
also
noteworthy
that
there
are.
There
are
other
environmental
variables
that
you
can
change
and
modify
around
certificates
and
a
few
other
features.
A
I've
included
a
link
to
the
sdoio
website.
Where
I
list
that
information.
Again,
though,
I
want
to
give
you
kind
of
a
word
of
caution,
while
while
there
may
be
limited
documentation
in
some
of
these
environmental
variables,
support
for
it
is
very
limited
and
it
is
considered
experimental.
A
So
please
look
for
other
ways
to
enable
capability,
whether
it's
through
the
operator,
api
or
helm,
values
to
see
if,
if,
if
there
are
ways
that
you
can
enable
this
functionality
in
a
way
that
is
supported
by
the
community,
and
with
that,
I
would
like
to
give
my
thanks
to
the
seo
community
for
their
time
feel
free
to
reach
me
on
slack.