-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autocert for updating the secret that has the certificates #1
Comments
Hey @vikramkhatri, sorry for the delayed response. Short answer... If you're running The podspec would look something like:
With the appropriate cluster permissions, the
in a loop, sleeping for an hour or so in between invocations. Longer answer... Autocert was intentionally designed to keep private keys out of kubernetes secrets, instead persisting them only on the local file system inside pods/containers, because it's more secure (fun fact: most kubernetes distros don't encrypt secrets in the storage backend!). Often there's a security/usability trade-off. But there isn't one here. Storing certs on disk offers the same developer/operator experience because, ultimately, containers just need to find certs & keys on disk. That said, we're aware that certain kubernetes primitives (like ingress controllers) require private keys (and certificates) to be made available via a kubernetes API resource. For those use cases we have no choice. We might add functionality to There are other ways to make this work though. When you install
in a script to pull the expiration date, renew using
where You might also want to take a look at Finally, we're working on a direct integration between envoy and |
Hi @mmalone - actually that will be very interesting. Please let me have access and I will be willing to test this in my Istio set up. Istio's SDS is pretty good as cert and key are not mounted and they remain in memory - I think a better implementation from security standpoint. Thanks for step. This is awesome. |
One suggestion - Linkerd does service to service communication mTLS automatically and they have their own CA that does this. It does not secure traffic between an Ingress gateway to the edge service as that is specific to a type of ingress controller one is using. Linkerd leaves that function to the end-users. Istio provides its own Ingress and Egress gateways but Istio does not cover certificate rotations of its own Ingress / Egress gateways either. It good be nice if you could fill that gap through your CA for both Istio and Linkerd. |
@vikramkhatri @servicemeshbook as Mike Malone mentioned for early access please see https://github.com/smallstep/step-sds we just made public. It's a direct integration between |
Closing. Feel free to reopen if you have more questions. |
Hi - The simplicity of your implementation is indeed very impressive.
I have a use case. My Istio ingress certificates are stored in a secret and then the Ingress pod consumes it from the secret and then pushes it to the memory of the target service. For example:
Now, the above will be consumed by the Istio Ingress gateway automatically since I have defined a gateway that defines the secret name
httpbin-keys
for thehttpbin.istio.io
- which resolves to a local IP address - Just for testing. For example:Since the secret is in
istio-system
namespace, it is protected as the users will not have access to this namespace and the certificates are then loaded in the memory of the pod instead of mounting them as files for security reasons through Secret Discovery Service of Istio.Is there a way, you could recommend as what is the best way to automatically update the secret based upon when TTL of the x.509 is about the expire.
If this is easy to do, it will solve one of the problem that I am facing is to automatically renew the certificates for the external names for the virtual services.
Thank you.
The text was updated successfully, but these errors were encountered: