Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Istio / IstioCon 2021 / 10 Mar 2021
Istio / IstioCon 2021 / 10 Mar 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Using ECC Working Certificates

Description

#IstioCon2021

Presented at IstioCon 2021 by Jacob Delgado.

There are numerous environmental variables that can be used to control the behavior of Istio. Environmental variables in Istio are considered experimental and there are no guarantees they won’t be removed in future versions of Istio.

In this talk, we will explore a few related to certificates used for inter-workload communication within your service mesh:

Some of the pilot-agent environmental variables related to certificates
How to toggle them during installation using istioctl and helm

A

Hello, my name is jacob delgado and I'm from aspen mesh. In today's lightning talk, we will be discussing using ecc workload certificates using pilot agent environmental variables.

A

Before we begin, we should talk about various use cases and why this feature was initially developed. So there are, there are certain environments where all certificates that are used within the system require ecc certificates prior to staying 1.6. There was no support for this, and, as of istio 1.6 and above there is a limited support for this using environmental variables.

A

um This is done so that mtls communication, as it is done inside curtis side code communication, uh can use ecc certificates. uh It is. It is worthy to know, though, that um until about a month ago, uh in order to use this capability, you had to plug in a custom ca certificate that also used ecc uh cryptography using ecdsaap256 in order to utilize this feature, as of sda1.7.7 and higher 1.8.2 and higher and 1.9 that's zero and higher. That restriction is no longer in place and the bug was fixed.

A

It is also noteworthy that only ecdsa p256 is supported at the current time.

A

So um let me also start out with a disclaimer environmental variables and their use are considered experimental within the istio community, there's no guarantee that they will not be deprecated in a future release use at your own discretion.

A

Now, while I will be talking about ecc, cryptography or ecc workload certificates in this talk, I will also talk about the migration path that I am currently working on and will propose for future versions. So, in order to do this, though, people in order to enable this feature, users must set the ecc signature, algorithm environmental variable, onside, current injection to ecdsa for use by pilot agent.

A

This also has to be done for gateways, even though they do not have a sidecar, but they do have an envoy proxy and a pilot agent executable alongside it as well.

A

To use this feature and install this feature using istioctl, you will either create or modify your existing iop yaml file and you will add the following to it: mesh config default config under that proxy metadata, and then you will add the environmental variable and the value ecc's ecc signature, algorithm ecdsa.

A

You will then use either seoctl install or istioctl manifest generate, and you will pass in via the dash f argument. The iop file that you have modified or created.

A

For helm, things are a bit different. It is a standard operating procedure using helm that you do not modify the existing chart, but you create a value overrides file and in this value overrides file, you will again add the mesh config default, config proxy metadata and the key value pair of ecc signature, algorithm ecdsa to it, and then, when you install or upgrade, you will append the dash dash values flag and pass in the values overrides file that is specified on the screen.

A

Unlike istio ctl, though this has to be done for each chart, so sdod istio ingress is to egress as well as studi remote. If you use that this does not need to be done for the base chart. However,.

A

So once you have deployed istio and have set this environmental variable, it is a good practice to make sure that you uh inspect your workload certificates and that you've enabled this. This functionality correctly seoctl provides various subcommands that allow you to inspect the certificate that is being served over sds um with proxy dash config secret, and then you specify the pod and the pod name: output it to json and then using some commonly available tools like jq and base64 and openssl you can.

A

You can actually inspect the certificate as it is being served over mtls, and in this case, when I ran this, you can see that the certificate that is being served for the workload, the public key algorithm, the public key, the as asn1 oid and the nist curve all match using ecc p256.

A

It is also noteworthy, though, that unless you plug in your own ca custom certificate that is using ecc. If you have sdod generate its own self-signed certificate, it will be using rsa. So there is currently no mechanism to have that. Self-Signed ca certificate in using ecc.

A

So, given that this is an environmental variable and I disclosed earlier that environmental variables are considered experimental, there is an initiative for istio 1.10, which will be released roughly in two and a half months or so from now to have uh this feature be included as mesh config in mesh config as an alpha feature.

A

So uh this will also allow us to have a migration path where, for at least istio 1.10 and probably 1.11, this environmental variable, environmental variable will be supported and then, after which we will announce. um Probably the deprecation of this uh environmental variable and choose this. So hopefully, this will give you enough time to adopt the the preferred method, which is using the istio api instead of environmental variables.

A

So uh it's also noteworthy that there are. There are other environmental variables that you can change and modify um around certificates and a few other features.

A

I've included a link to the sdoio website. Where I list that information. Again, though, I want to give you kind of a word of caution, while while there may be limited documentation in some of these environmental variables, um support for it is very limited and it is considered experimental.

A

So uh please look for other ways to enable capability, whether it's through the operator, api or helm, values to see if, if, if there are ways that you can enable this functionality in a way that is supported by the community, um and with that, uh I would like to give uh my thanks to the seo community for their time uh feel free to reach me on slack.

A

If you have any remaining questions, if not thank you for your.

A

Time.