Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / Istio 1.6 / 13 Jul 2020
solo.io / Istio 1.6 / 13 Jul 2020
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Istio 1.6 Deep Dive Certificate Rotation (Part 3)

Description

In this 4-part series, we look at how to rotate Istio CA certs without interruption.

In this section we look at how to trust multiple Root CAs to set up rotation without disruption

About us https://solo.io
Manage multi-cluster Istio with Service Mesh Hub https://solo.io/products/service-mesh-hub/
Istio 1.6 https://istio.io/latest/news/releases/1.6.x/announcing-1.6/
Questions? https://slack.solo.io

A

Thanks again for continuing along with this video series, we are exploring how to rotate ISTE O's CA signing certificates with minimal downtime. In previous videos. We saw that changing the route will cause downtime, especially going from and SEO self sign and generated root, CA to maybe one that you want to use.

A

But then we also saw that if you rotate, the intermediate certificates and those intermediates have the same route that you won't see. Downtime and now in this video video 3 we're going to see how to introduce the you know if you need to rotate your route CA, which isn't something that happens very often but will happen, and you need to be able to handle it without downtime.

A

What we want to do, for that is make sure that, for a period of time that we're able to trust the old route as well as the new route, so that we don't have a breakage in traffic in the previous videos we took, we saw the breakdown and the structure, and we can do it again, our certificates. So far, we showed that for certificates or intermediate signed by route a so. We introduced through a and route a to that this didn't.

A

We didn't see any breakage in in the traffic communication, but now we want to rotate our CA certificate to something that's been signed by route B, which chained, which will break the connections if we don't handle it appropriately. So let's take a look in.

A

So we see that our route see a signed by route, a in our examples. Yeah now we want to introduce Ruby or intermediates that have been signed by would be so we want to do that by introducing a root CA that includes both a and B.

A

So we're going to do that first by deleting the existing CA certs, of course, save them before you actually do that and we're going to create CA search with a root cert that includes both a and B root certificates.

A

Okay, so we're going to create the CA certs with we're not going to change the intermediate, yet we're not going to change anything. All we're doing is introducing or we're changing the route so that we trust both a and B routes. It's an intermediate chain is still assigned by route a but we're introducing the the routes that that are that trust both a and B.

A

Now, let's restart its Tod pick this up.

A

Bc.

A

Should be up and running, looks good, that's our workloads.

A

Okay. Now what this is done has changed the let's take a look at the route, see a config map. Oh still hasn't picked it up. I see it might still be coming up. Let's do this.

A

So, let's see it.

A

Now to see alright, so it still has placed these trusted CAS root certificates in the config maps in all of the namespaces we see both a and B are listed here. Both a and B are trusted.

A

Now, if we look at the pod itself and we take a look at the route up, that still hasn't been updated in the pot, so this might take a second.

A

Eventually, I guess it wasn't cooperate for demos, but eventually it should also propagate into the pod.

A

Which we should okay now it has right. So in the sleep pod, we now see through a and B very good, let's restart the HCV bin service, so that it picks up these new.

A

You know new CAS and what we saw in the in the previous demos is that when we change the route and they weren't the same routes between sleep, Todd and HTTP bin pod, that things would break.

A

But we shouldn't see that here all we've done is introduced, route, B haven't changed the CAS or the the we haven't changed the intermediate yet so, if you make this collar should work, and it does now in the next video we're going to introduce the CA that's been signed by B and the pods now should trust both a and B. So, even though we're rotating the route we shouldn't see any breakage in the communication stay tuned to the next video.