Must I set a dedicate ca cluster?

Question

Must I set a dedicate ca cluster?

gyliu513 opened this issue 6 years ago · 3 comments

@rshriram I found that at https://github.com/rshriram/istio_federation_demo/blob/master/run_demo_from_laptop.sh#L123-L125 , we actually created three clusters including ca cluster, cluster1 and cluster2, so must I create three clusters if want to do such demo?

Answer 1 · 2018-06-11T15:37:19.000Z

Yes, the idea being that the root CA is running outside both clusters, and automatically rotating certs of the cluster-level CAs. You can tweak the istio CA setup to remove the root CA and use static root certs, but its not secure in the long run.

Answer 2 · 2018-06-11T16:08:50.000Z

Got it, thanks @rshriram

As your tutorial was based on aws, I was working on private cloud which is based on local kubernetes cluster, will post a blog once it is ready.

Answer 3 · 2018-06-13T09:31:22.000Z

@rshriram I think that the current Isito do not support automatically rotating certs at cluster level, does istio have plan to support this?