►
From YouTube: Istio 1.6 Deep Dive Certificate Rotation (Part 0)
Description
In this 4-part series, we look at how to rotate Istio CA certs without interruption.
About us https://solo.io
Manage multi-cluster Istio with Service Mesh Hub https://solo.io/products/service-mesh-hub/
Istio 1.6 https://istio.io/latest/news/releases/1.6.x/announcing-1.6/
Questions? https://slack.solo.io
A
A
So
forget
the
config
Maps.
We
can
see
this
coz
a
root,
cert
take
a
look
at
it
in
the
amo
and
we
can
see
that
the
certificate
is
stored
here.
When
we
look
at
the
workloads
and
we
explored
their
certificates,
we
can
see
that
their
leaf
certificates
are
signed
by
this
root.
So
we
can
come
over
here.
Let's
go
use
k9s
our
favorite
console
for
kubernetes
see
we
have
a
couple
of
workloads
running
here:
sleep
pod,
which
can
talk
to
the
HTTP
bin,
pod
and
SEO,
is
currently
deployed
with
mutual
TLS.
A
So
if
we
do
cube
CTL
get
here,
patient
I
should
see
strict
you'll,
see
less
so.
But
if
we
go
to
the
workloads-
and
this
lets
shell
into
one
of
these
workloads-
one
of
these
to
do
proxy
if
we
do
a
curl
on
the
proxy
itself-
and
it
asserts
end
point
so-
this
is
pure
envoy
envoy-
documentation-
see
the
different
paths
you
can
hit
for
clearing
the
configuration
that
the
proxy
has.
A
A
A
A
Let
me
take
a
look
at
the
certificate:
take
a
look
at
its
serial
number
and
FAC
six,
something
or
other,
and
that's
what
we
see
here,
FAC
six.
So
this
is
the
root
certificates
line
up
between
what
was
automatically
created
by
sto
on
bootstrap
and
the
certificates
that
gets
signed
by
the
certificate
authority
or
in
SEO
1.6.
Let's
go
here.
A
Another
interesting
thing
we
can
show
you
here
is
that
the
the
the
leaf
certificates
are
created
and
they're
available
or
they're
valid
for
24
hour
period
by
default,
and
so
this
can
be
changed
with
environment
variables,
but
by
default,
when
we
do
this
requests
assign
a
certificate,
it
does
it
for
24
hours.
So
in
the
next
video,
what
we're
going
to
look
at
is
what
happens
when
you
start
rotating
certificates,
specifically
the
CA
that
sto
uses
the
signed
certificates.