[Videos] Avoiding Downtime With Istio 1.6 Certificate Rotation
Istio uses certificates to issue workload identity following the SPIFFE specification. To manage issuing, signing, and rotating these certificates at runtime, Istio has a built in CA component (in Istio 1.5 and newer, you’ll see this co-located with the istiod component in the control plane). These workload certificates are used to establish mTLS, assert identity, and enforce policies like Authentication and Authorization.
At times, operators of the Istio service mesh will need to rotate the signing certificates Istio uses in its CA. For example, maybe a certificate is about to expire, or maybe it fell into the wrong hands. Since all of the traffic in the mesh will likely be using their respective workload certificates for mTLS, we need to make sure rotation of these signing certificates (including Root certificates at times) does not lead to down time.
In this multi-series set of videos, we walk through understanding Istio’s CA and how to safely rotate signing certificates. These videos are short and easily consumable (~5 min each)
Setting the context: Understanding Istio’s Root CA
Plugging in your own signing certificates
Rotating intermediate certificates (same root)
Establishing trust for multiple roots (temporarily)
Rotating intermediate certificates (different root)
We hope you enjoy these videos to learn more about how to use Istio.