►
From YouTube: Rotating certificates in Istio
Description
In this live stream, Hoot #47, we'll look at certificates in Istio. We'll talk about how to plugin your own CA certificates, rotate them without downtime, and show how to use cert-manager and istio-csr to issue workload certificates.
A
A
A
What
I'll
do
is
I'll
briefly
explain
what
the
default
installation
does
in
regards
with
the
workload
certificates
and
then
I'll
go
through
the
scenario
of
rotating
the
ca
certificates
without
any
downtime
and
then
at
the
end.
I'll
also
show
you
how
to
use
cert
manager
and
istio
CSR
for
your
ca
and
workload:
certificates,
hey
Marino,
hey
Arco,
nice
I'm,
not
I'm,
not
alone.
So
that's
good.
It's
always
good
to
know
I'm
not
talking
to
an
empty
room.
I!
Guess
all
right
so
before
I
go
into
into
the
that
topic.
A
A
A
So
when
we're
talking
about
so
we
have
the
identity,
we
have
the
workloads,
we
have
the
we
have
the
spiffy
IDs
and
we
have
the
certificates.
Rather
now,
when
we
talk
about
delivering
those
certificates
to
workloads,
there
are
three
components
that
are
involved
here:
dsdod
or
the
control
plane.
Specifically,
the
component
inside
of
the
control
plane
called
Citadel,
the
istio
agent
that
runs
in
it's
a
binary
that
runs
in
the
istio
proxy
and
the
envoy
proxy
itself.
A
So
Citadel
acts
as
a
certificate
Authority
that
signs
and
issues
the
certificates
to
workloads
the
istio
agent,
as
I
mentioned,
it's
a
binary
that
runs
in
the
sidecar
proxy,
and
this
binary
is
responsible
for
requesting
a
certificate
for
that
workload
and
then
making
that
certificate
and
key
available
to
the
envoy
proxy
and
the
way
it
does.
That
is
via
something
that's
called
secret.
Discovery
service,
that's
an
API
in
Envoy.
A
So
if
you
have
your
cluster
and
I'll
show
you
later
in
the
demo
as
soon
as
you
install
istio,
if
you
look
at
the
config
Maps
across
your
namespaces,
you
will
see
that
is
Coca
Roots
art
config
config
map
in
each
one
of
those
namespaces.
So
that
way,
once
that's
in
all
the
namespaces,
when
the
pods
start
up
what
they
do,
is
they
mount
that
config
map
and
then,
when
istio
tries
to
talk
to
sdod
istiod
will
present
its
certificates.
A
A
However,
that's
like
using
anything
self-signed
is
not
good
right.
So
what
we
can
do
is
we
can
modify
that
and
instead
of
having
istio
using
the
self-signed
ca,
we
can
provide
our
own
CA.
We
want
sto
to
use
so
there's
a
couple
of
options
here
now
I
mentioned
that
base
CA
data
right
that
SEO
uses
to
push
into
those
config
Maps
That
Base
CA
data
can
either
come
in
a
form
of
a
CA
certs
secret,
that's
created
in
the
SEO
system
namespace.
A
So
when
the
crd
starts
up,
it's
going
to
look
for
that
CA
search
secret
and
if
the
secret
is
there,
it's
going
to
take
the
information
from
there
and
push
that
CA
data
from
that
secret
to
those
config
Maps.
The
other
option
is
using
mesh
config.
So
when
you're
installing
istio
there's
a
global
mesh
config
settings
where
you
can
provide
the
ca
search
directly
and
then
what
istio
does
I'll
take
those
and
push
those
to
to
the
config
Maps,
hey
I,
do
welcome
hope
everyone's
doing
well.
A
Thank
you
for
saying
hi
as
well
now,
as
for
the
external
Cas,
the
two
options
that
I'm
going
to
talk
about,
both
of
them
will
use
cert
manager.
First
one
is
using
the
kubernetes
CSR
API,
so
there's
a
certificate,
signing
request,
resource
and
kubernetes
that
can
be
used
when
requesting
the
certificates.
A
Now,
in
this
case,
when
using
kubernetes,
CSR
sdod
is
going
to
act
as
an
RA,
so
ra
stands
for
registration
Authority
that
approves
their
requests
as
opposed
to
the
ca,
which
is
the
certification
Authority
that
signs
the
certificates,
so
istio
will
create
and
also
approve
the
CSR,
and
then
the
cert
manager
will
sign
it.
So
cert
manager
is
configured
using
an
issuer
to
sign
that
CSR.
Now
these
issuers
insert
manager
represent
Cas
and
there's
a
bunch
of
options
that
you
have
that
you
can
pick
from.
A
You
can
pick
Vault,
you
can
pick
Google
Cast,
aw,
AWS,
private,
CA
and
so
on.
The
benefit
here
with
this
one,
and
the
next
option
is
that
the
private
key
is
not
present
in
in
the
secrets
you're,
not
storing
in
a
secret.
You
shouldn't
be
storing
it
into
secret
anyway.
Instead,
it
can
be
stored
outside
Google,
AWS
Vault.
A
So
this
is
another
project
that
you
run
inside
your
cluster
and,
in
this
case
you're
using
a
Certificate
request,
resource
from
the
cert
manager
to
request
certificates,
and
in
this
scenario,
istio
CSR
is
going
to
act
as
a
registration,
Authority
and
then
cert
manager
is
going
to
act
as
a
CA.
So
the
flow
is
very
simple.
A
very,
very
similar.
A
The
difference
here
is
that
with
St
or
CSR,
the
workloads
in
the
cluster
gonna
talk
to
istio
CSR,
directly
they're
not
going
to
be
talking
to
a
Cod
anymore,
all
right.
So
this
is
just
like
an
overview.
There's
no
more
text
on
the
slides
from
this
point
on
and
I
have
only
a
couple
of
slides
to
explain
the
concepts
and
then
I'll
go
into
the
demo.
I
figured
having
diagrams
like
this
is,
makes
it
much
easier
to
understand
versus
just
me
being
in
the
command
line
and
typing
bunch
of
commands.
A
So
I'll
look
at
a
scenario
where
I
have
a
default
installation
of
istio,
which
means
I'm
using
a
self-signed
CA.
So
what
istio
is
going
to
do
is
it
will
create
those
config
Maps,
the
istioca
root
cert
and
the
workloads
are
going
to
get
issued.
Those
issued
certificates
they're
signed
by
that
self-signed
CA.
A
So
let's
say
I
have
that
default
default
installation.
Let's
say
I
start
with
this
one
and
then
I
say
okay
now,
I
want
to
create
my
own
Routier
and
I
want
to
create
an
intermediate
certificate
and
I
want
to
use
that
intermediate
certificate.
As
my
CA
right.
So
what
do
we
do?
We
use
those
intermediate
certificates,
I'm,
calling
them
a
here
or
blue
whatever,
whatever
is
easier
for
you,
we
take
those
certs,
we
store
them
in
a
secret
called
CA
certs.
We
we
would
restart.
A
A
A
A
Both
of
these
A
and
B
are
rooted
in
the
same
route.
Now
we
replace
the
ca
certs
with
intermediates
from
B.
This
gets
populated.
This
gets
pushed
through.
Let's
look
at
the
same
scenario:
service
C
comes
up.
It
has
this
new
certificate
from
intermediate
B.
However,
in
this
case
the
old,
the
workloads
using
certificates
signed
by
the
old
old
intermediate
CA,
this
will
still
work
because
they
stem
from
the
same
root.
So
this
works
fine.
A
If
you
have
a
one
root:
multiple
intermediates,
if
you're,
swapping
or
switching
out
the
intermediates,
this
is
going
to
work.
So
what
you'll
do
in
this
case
is
you
can
either
wait
for
I,
think
it's
12
hours,
the
default
rotation
interval
and
then,
after
like
24
hours,
all
the
existing
workloads
that
used
to
have
previous
intermediates
or
certificates
signed
by
previous
intermediates
will
have
the
certificate
signed
by
the
new
intermediate.
A
Now,
let's
complicate
this
even
more,
why
why
not?
Right
now?
Let's
say
we
want
to
introduce
a
new
route
right.
So,
whatever
reason
we
don't
care,
we
don't
want
that
old
route
anymore,
we're
going
to
introduce
a
new
route
and
a
new
intermediate
from
that
route,
and
we
push
that.
What
happens
we
end
up
in
that
same
scenario,
that
I
explained
first
right,
service,
C,
talking
to
service
b
or
service
B
talking
to
service
C,
it's
not
going
to
work
because
it's
completely
different
routes.
So
how
can
we
solve
this
now?
A
The
solution
is
fairly
straightforward.
What
you
need
to
do
is
you
create
a
combined
root
certificate,
so
the
one
that
contains
roots
from
B
and
C.
However,
your
actual
CA,
cert
and
key
will
still
be
from
that
new
route
right,
so
you
deploy
that
so
your
CS
certs
have
that
combined
root
certificate
that
gets
pushed
into
istiocia
root
cert,
which
has
two
of
them
now
right
service,
a
talking
to
Service,
C
or
service
B
talking
to
C
works
all
good,
because
the
istioca
roots
has
combined
root
certs
in
there.
A
Now
that
will
be
the
first
demo
that
I'll
show
and
then
the
second
demo
will
be
showing
the
cert
manager
and
sdo
CSR
I
will
be
doing
a
self-signed
scenario
here
as
well.
However,
I'm
gonna
use
cert
manager
issuer
to
issue
that
self-signed
CA
cert
all
right,
so
the
diagram,
the
diagram
might
look
complex,
but
it
actually
it
isn't
that
complex
right.
A
Now,
from
the
previous
scenarios,
we
know
that
we
need
to
provide
the
root
CA
to
stod
the
way
that
we've
done,
that
is
by
just
creating
the
ca
search
secret
or
just
letting
the
stod
create
a
self-signed
CA.
However,
this
time
we'll
create
a
secret
that
the
istio
CSR
will
mount
in
the
step
three
and
then
we'll
also
create
another
issuer
called
seoca
in
step
four,
so
this
issue
will
point
to
the
istioca
secret
and
it's
going
to
be
referenced
by
the
cert
manager.
A
So
whenever
the
workload
certificate
is
needed
or
requested,
cert
manager
will
use
this
istioca
issuer
to
create
the
new
certificates.
Now,
at
this
point,
we
can
we
can
start
istio
CSR
and
that
one
is
going
to
mount
the
root
CA,
so
the
one
that
we
extracted
right
and
then.
Finally,
we
will
install
scod
and
we'll
see
in
the
stod
settings
we're
going
to
turn
off
the
ca
server
functionality
and
we're
going
to
point
setting
a
field
called
CA
address.
We're
going
to
point
that
to
istio
CSR.
A
So
now,
whenever
SEO
agent
and
you
work
with
the
proxy
comes
up,
the
sto
agent
will
talk
to
istio
CSR
for
for
any
any
certificate
needs
right
now.
This
self-signed
setup
is
okay
for
testing
right,
but
for
like
more
serious
deployment
production
deployments.
Of
course
you
you
want
to
use
something
like
Vault
or
Google
or
AWS
to
store
your
keys
right
instead
of
storing
them
in
in
kubernetes.
A
Now
here's
the
exact
same
scenario
as
the
previous
slide,
however:
I
replace
that
CA
issuer
with
an
issuer
for
Vault,
so
Vault
issuer.
So
now
all
the
root
search,
all
the
intermediates.
All
those
secrets
are
basically
stored
in
Vault
and
they
are
not
stored
in
kubernetes
anymore
right,
they're,
not
storing
kubernetes
Secrets,
which
is
what
we
want
right.
A
So,
whenever
the
workloads
are
requesting,
the
certificates
they'll
go
to
the
istio
CSR
directly
and
then
istio
CSR
in
turn
uses
the
Vault
issuer
to
issue
and
use
certificate
to
workloads
when
needed
all
right.
So
this
was
enough.
Diagrams
yeah
I
like
these
diagrams
as
well.
It
just
it's
so
much
easier
to
explain.
Concepts
like
these,
with
with
diagrams
than
just
showing
it
in
in
code
or
command
line.
So
let
me
switch
to
foreign.
A
I
find
a
good
okay,
I
think
this
is
fine
right.
If,
if
it's
not
mention
it
in
the
comments,
if
you
don't
see
it,
but
it
should
be,
should
be
all
good.
Everyone
should
be
seeing
my
my
terminal
now
all
right,
so
what
I'll
do
is
I've
created
the
the
same
scenario
that
I
mentioned
in
in
the
slides
I
basically
have
Intermediate
A
and
intermediate
B
that
are
rooted
in
root.
A
One
I
have
the
intermediate
C
there's
going
to
be
rooted
in
a
different
route
and
then
in
the
combined
folder
I
just
have
that
combined
roots
in
that
one
file
and
I'll
I'll
show
that
in
more
details
as
as
I
get
to
that
point,
so
let
me
just
make
sure
I
don't
have
anything
I,
don't
have
anything
installed,
I'm
using
using
kind.
It's
a
single
single
node
cluster,
nothing
special.
What
I'll
do
is
I'll
install
I'll,
install
HDO.
A
And
then,
once
that's
installed,
we'll
just
do
the
typical
labeling
the
default
namespace
and
then
I'll
deploy
sleep
and
HTTP
bin
workloads
see
wait
for
those
to
come
up
and
what
I'll
do
next
once
these
come
up,
is
I'll
also
deploy
a
peer
authentication
policy.
That's
going
to
set
the
mtls
mode
to
strict.
A
So
that
way,
since
we're
we're
going
to
be
working
with
certificates.
That
way
we'll
know
if
something
breaks
right
away.
Instead
of
like
looking
at
the
details
of
the
certificates,
it's
just
much
easier
all
right,
so
we
have
both
of
them
running
just
double
check,
yep
and
then
I'm,
just
deploying
the
pre-authentication
that
sets
the
mtls
mode
to
strict,
as
opposed
to
permissive
and
then
to
check
that
everything
works.
I
will
send
a
request
from
the
sleep
pod
to
the
HTTP
bin,
so
shouldn't
be
any
issues
here.
A
All
works
all
good,
all
right,
so
we're
using
the
self
sign
search
here.
Let's
also
look
at
the
config
map,
so
let
me
show
you
the
config
Maps
notice,
there's
sdo
CA
root,
cert
istioca
root
cert
in
all
the
namespaces,
except
for
the
cube
ones.
Right.
Let's
look
at
the
details
of
that
root,
search
file,
so
I'm
just
getting
the
config
map
getting
that
file
specifically
and
then
piping
it
through
openssl
and
looking
for
the
issuer.
A
So
issuer
is
just
clustered
on
local,
but
what
we'll
do
next
is
I
will
create
the
ca
search
secret
that
uses
the
intermediate
a
certificate.
So
let's
do
that
I
clear
the
screen
again
so
create
secret
generic
CA
certs
in
a
SEO
system
and
then
I'm
just
pointing
to
cert
keyword,
search
and
search
chain
from
intermediate
a
folder.
A
So
this
I
just
see
figure
three
starter:
it's
fairly
fast
yeah.
So
this
was
restarted
and
then
let's
look
at
the
logs
from
sdod
just
so
we
can
see
what's
happening
there,
I'll
just
grip
for
this
guy
yeah.
So
we
can
see
in
the
logs
of
stod
that
we're
using
this
Intermediate
A
from
the
exam
that
was
rooted
in
the
example
root
ca1.
So
we're
not
using
the
cell
sign
CA
anymore.
The
STL
self-sign
CA
anymore,
so
what
happens
now?
A
These
two
workloads
are
still
using
those
previous
search,
so
if
I
would
try
to
make
a
request,
this
would
still
work
right.
There's
not
going
to
be
any
issues
here
because
they're
still
using
the
same
certificates
rooted
from
the
same
route.
However,
if
I
delete,
let's
delete
the
HTTP
band
so
as
I
delete
this
when
it
comes
back
up,
it's
gonna
get
those
new
get
that
new
certificate
signed
by
the
intermediate
a
so
this
time.
If
I
try
to
send
a
request,
clear
the
screen
so
same
thing
sending
a
request.
A
A
A
So
the
next
thing
I'll
do
is
I
will
rotate
the
intermediates
so
from
a
we're
going
to
go
to
B
and
both
of
them
are
routed
in
the
same
route.
Yeah,
so
I
could
say:
Auto
reload,
plug-in
certs.
Yes,
exactly
yeah
you're
right,
that's
the
that's
the
setting
that
I
was
referring
to
so
yeah,
so
it
is,
it
is
there
all
right,
so
what
I'll
do
is
I'll
delete
the
existing
CA
search
and
then
I'll
create
another
one,
but
this
time
we'll
use
intermediate
B.
A
Oh,
oh
now,
let's
double
check
the
logs
again
oops
copy
paste
there
yeah
the
logs
from
sdod
and
we'll
see
we're
using
intermediate
B.
Now,
however,
it's
still
the
same
route
right,
let's
restart
HTTP
bin,
so
HTTP
bin
is
going
to
pick
up
the
new
cert
from
intermediate
B
and
once
this
one's
restarted.
If,
if
I
make
a
request,
it
should
work
fine
right
because
both
of
those
are
from
the
same
route
right.
So
there's
no
issues
here.
So
let's,
let's
do
that
final!
A
One
now
I'll
delete
sleep
as
well,
so
both
of
them
have
same
intermediates.
So
what
I'm
going
to
do
now
is
I'll
switch
to
intermediate
C,
but
that
one
was
signed
by
a
different
route
right.
So
I'll
do
the
same
thing
as
before.
The
only
difference
is
going
to
be
that
I'll
combine
the
two
root
certs
in
in
one
file
right,
but
everything
else
is
going
to
be
the
same.
A
So
this
is
the
combined
root
search
that
I'll
refer
to,
and
this
one
is
coming
from
root
a
and
the
second
one
is
coming
from
root:
B.
That's
it
it's
all
the
difference
and
then
we'll
repeat
the
same,
delete
create
thing,
create
the
CSS
note
that
I'm
still
referencing
intermediate
B
here
and
the
only
thing
that
I'm
changing
is
I'm,
just
adding
that
extra
root
certificate
from
that
second
route
into
the
combined
one
right.
So
no
changes
here.
Theoretically,
only
the
root
Cas
have
changed.
We
added
one.
A
A
A
If
we
try
again,
they
should
work
fine,
there
shouldn't
be
any
nothing,
no,
nothing!
Nothing
should
be
affected
here
and
then
to
lead
to
sleep
again,
no
issues
there,
then,
as
the
last
step,
now
that
we
have
both
of
those
root
search,
there
add
the
last
step
where
we
would
do
is
we
would
switch
over
to
intermediate
C
for
any
new
workloads
that
come
up
we're
still
using
the
combined
one,
though
right.
A
So
let's
do
this,
and
now,
if
you
look
at
the
issuer
in
stod
into
logs
you'll,
see
that
it's
intermediate
C
and
it's
the
new
root
right
and
let's
restart
HTTP
bin
again
HTTP
bin
is
going
to
receive
a
certificate
from
the
intermediate
C,
while
the
sleep
is
still
using
a
certificate
from
intermediate
B
from
a
completely
different
route
right.
However,
this
is
going
to
work
because
we
have
both
of
those
root
Cas
in
that
config
map
right.
A
So
the
last
step
here
that
you
would
do
is
you
would
update
the
ca
search
again,
but
this
time
you
would
remove
the
combined
root
certificate.
So
it's
going
to
only
include
the
intermediate
seized
route
and,
of
course
you
would
do
that
once
all
of
your
existing
workloads
would
switch
over
to
the
new
new
root
or
new
intermediate
I
guess:
hey
scheike,.
A
So
empty
empty
cluster
don't
have
anything
installed
yet
and
this
time
I'll
start
with
installing
the
shirt
manager.
So
this
is
this.
This
demo
is
going
to
show
how
to
use
SEO
CSR
and
have
the
search
manager
and
istio
CSR
deal
with
the
intermediates
and
root
Cas
and
issuing
the
certificates
all
right.
So
first
one
is
just
going
to
be
installing
search
manager.
A
Amazing
there
we
go
so
we
have
the
search
manager,
let's
check
the
search
manager,
manager,
namespace,
you
have
the
C
injector
web
Hook
and
the
search
manager
up
and
running,
and
next
what
I'll
do
is
I'll
create
that
certificate
issuer.
The
sell
signed
this
year
right
that
I
shown
in
that
diagram
right.
This
is
just
so
much
easier
to
demo
than
just
setting
up
vault
and
everything,
but
you
should
for
sure,
go
and
set
that
all
up.
A
So
let's
do
the
this
is
how
the
issuer
the
sell
sign
issuer
is
going
to
look
like
just
call
this.
Your
the
kind
is
this
year
there's
also
the
cluster
issuer
kind,
which
applies
to
the
whole
cluster,
but
I.
Think
the
assert
manager
docs
are
very
prescriptive
and
are
saying
start
with
the
issuer.
First
issuers
are
I,
think
bounded
to
a
specific
namespace
right,
so
anything
that
the
issuer
can
issue
to.
Is
this
namespace
in
this
case
right?
A
A
All
right
so
certificate
kind
from
the
cert
manager,
we're
saying,
create
a
certificate
called
istioca.
It
is
a
CA.
It's
valid
for
30
days
drop
the
files
into
istioca
secret
in
the
same
cluster
and
then
there's
the
private
key
setting,
subject
right
and
issue
a
reference,
so
we're
just
referencing
that
self-signed
issuer
I
created
30
seconds
ago.
So
let's
do
this
so
now.
The
result
of
this
one
is
this:
CA
secret
is
Coca
secret
that
was
created
with
the
certificate
key
and
the
ca.
A
A
I'm,
getting
the
secret
and
I'm
just
pulling
out
the
TL
TLS,
that's
CRT
file
decoding
it
into
ca.tem
and
then
I'm,
creating
another
secret
that
will
be
used
by
istio
CSR
overall
reference
at
ndsc
or
CSR
to
act
as
a
root
CA
right,
so
creating
a
generic
Secret
istio
Routier
from
the
file
that
we
just
extracted
from
that
secret
that
was
created,
but
by
that
self-signed.
Yes,
sure,
let's
do
this
and
now,
finally,
what
we
need
to
do
is
we
have
to
create
another
issuer.
A
So
now,
we've
just
used
certain
manager
to
create
a
self-signed
CA
a
CA
certificate,
but
the
last
thing
that
we'll
do
here
is
we'll
create
another
issuer.
That's
called
the
Coca,
and
this
is
what
the
SEO
CSR
will
use
to
issue
that
certificates
to
or
close
right,
and
this
one
is
pointing
to
that
istioca
secret.
That
was
created.
Let's
do
this
now
that
we
have
all
these
secrets
in
place,
and
next
year
is
in
place.
We
can
install
SEO
CSR
right.
So
this
is
how
this
looks
like.
A
What
we're
doing
here
is
we're
mounting
that
istio
root,
CA
secret
right
and
a
volume
called
root.
Ca
and
then
we're
just
mounting
that
Secret
in
as
the
root
CA
file
that
we
want
to
use
right.
So
this
is
just
telling
it
hey.
This
is
the
root
CA
that
you
use
when
you're
issuing
certificates
all
right.
So
this,
let's
just
make
sure
that
this
is
installed.
A
A
So
this
is
just
the
istio
operator
default
profile
and
notice
here
that
CA
address.
So
what
we're
doing
here
is
we're
basically
telling
istio
and
consequently
the
the
SEO
agents
that
are
running
in
in
the
proxies
right
to
use
this
as
their
CA
right
when
they're
requesting
the
certificate-
and
this
is
just
istio
CSR
service-
name-
that
we
just
deployed
right.
A
We're
also
disabling
the
ca
server
functionality
in
the
pilot
and
then
there's
an
overlay
that
just
mounts
the
the
secrets
from
the
files,
not
secrets
from
the
cert
manager
right
so
they're
mounting
the
ca
root,
cert
and
the
SEO
dtls.
So
let's
do
this,
so
this
is
basically
just
installing
SEO
at
this
point,
all
right
and
I
can
and
go
back
to
bigger
fonts.
A
And
let's
wait
for
these
to
come
up
now,
this
time
as
they're
coming
up,
the
SEO
agent
is
gonna,
use
that
CA
address
it's
not
going
to
talk
to
you.
Sdod
for
for
the
workload
certificate
instead
is
going
to
go
to
istio,
CSR
and
istio.
Csr
is
going
to
use
that
issuer
to
get
a
certificate
that
was
signed
by
that
self-sign
CA
that
we've
created
right.
A
So,
let's
do
this
and
I
should
have
the
workload
search
File
here,
yes,
stair
and
then
you
just
use
open,
SSL
to
just
decode
it
and
then
in
the
output.
If
I
go
out
here,
you'll
see
the
organization
here
is
the
cert
manager.
The
common
name
was
the
SEO
CA
that
was
set
there
and
we
have
the
spiffy
here
as
well.
Right,
nothing
has
changed.
Nothing
has
changed
from
the
istio's
perspective
right.
This
is
a
valid
certificate,
valid
workload
certificate
that
workloads
can
use
right.
A
It's
theoretically
doesn't
care
as
long
as
it
has
this
spiffy
spiffy
ID
here
and
it's
a
valid
document
all
right.
So
that
was
that
was
my
demo.
I.
Think
we're
like
40
minutes
in
perfect
I
was
perfect
on
timing
again.
If
anyone
has
any
questions
in
regards
to
this,
I'll
gladly
try
and
answer
them,
if
not
I'm,
just
looking
to
post
a
link
to
the
previous
hoot,
that
I
did
a
couple
of
weeks
back
where
I
was
talking
about.
A
I
was
talking
about
spire
and
that
one
has
more
of
a
more
details
on
like
how
spiffy
Inspire
work
in
general,
and
you
should
definitely
I
guess.
I
can
I
can
show
it
here,
but
it's
not
going
to
help
much
No
One's
Gonna
copy
paste
it
from
here.
But
if
you
go
to
our
Channel,
you
should
be
able
to
find
it
there
under
live
all
right
if
they're,
if
there
are
no
questions
thanks
everyone
for
joining
hope,
this
was
useful,
make
sure
to
like
And
subscribe.