Istio DNS Certificate Management

    • Unlike Istiod, this feature doesn’t require maintaining a private signing key, which enhances security.

    • Simplified root certificate distribution to TLS clients. Clients no longer need to wait for Istiod to generate and distribute its CA certificate.

    • Install Istio through with DNS certificates configured. The configuration is read when Istiod starts.

    DNS certificate provisioning and management

    Istio provisions the DNS names and secret names for the DNS certificates based on configuration you provide. The DNS certificates provisioned are signed by the Kubernetes CA and stored in the secrets following your configuration. Istio also manages the lifecycle of the DNS certificates, including their rotations and regenerations.

    Check the provisioning of DNS certificates

    After configuring Istio to generate DNS certificates and storing them in secrets of your choosing, you can verify that the certificates were provisioned and work properly.

    To check that Istio generated the dns.example1-service-account DNS certificate as configured in the example, and that the certificate contains the configured DNS names, you need to get the secret from Kubernetes, parse it, decode it, and view its text output with the following command:

      The text output should include:

      1. Delete the secret storing the DNS certificate configured earlier:

        1. $ kubectl delete secret dns.example1-service-account -n istio-system

      2. To check that Istio regenerated the deleted DNS certificate, and that the certificate contains the configured DNS names, you need to get the secret from Kubernetes, parse it, decode it, and view its text output with the following command:

      The output should include:

      1. X509v3 Subject Alternative Name:

      Cleanup