Istio provides us with the option of using a node agent in Kubernetes for certificate and key rotation.
If you are using a demo install profile, the node agent won't be installed by default. To install a node agent, you need to choose values-istio-sds-auth.yaml for the helm install. Once installed, you should see the node agent running on every node. For example, in our single VM, you will see only one node agent:
$ kubectl -n istio-system get pods -l app=nodeagent
NAME READY STATUS RESTARTS AGE
istio-nodeagent-smfz7 1/1 Running 0 3m35s
The node agent, when deployed, will provision certificates and keys:
The workflow for rotating certificates and keys is as follows:
- The Envoy proxy sends a key and certificate request through the Secret Discovery Service (SDS) API.
- Then, the node's agent creates the private key and Certificate Signing Request (CSR) when it receives the SDS request.
- Citadel receives the CSR through gRPC, validates it, signs the CSR, generates the certificate, and sends it to the node agent.
- The node agent sends the key and certificate key to the proxy via the SDS API.
- This process repeats at a certain interval for every service for certificate and key rotation.
Istio recommends that we run Citadel in the istio-system namespace and only protect access for administrators.
We will cover certificate and key rotation in more detail in Chapter 12, Enabling Istio Policy Controls.