Skip to content

Istio Citadel CA Plugin Architecture

The Istio Citadel CA Plugin Architecture refers to a deployment configuration where Istio Citadel functions as an Intermediate Certificate Authority (CA) under a pre-existing, externally managed Root CA.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

This configuration allows operators to integrate Citadel into a [[Public Key Infrastructure]] (PKI) hierarchy where the root of trust is established outside of Istio, rather than using Citadel's self-signed root certificate by default.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

Architecture Components

To implement this plugin architecture, the system requires specific certificates and keys to establish the chain of trust and the intermediate CA's signing capabilities.

Root and Intermediate Certificates

The architecture relies on the following cryptographic materials^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]:

  • Root CA Certificate: The top-level certificate (root-cert.pem) that acts as the trust anchor.
  • Alternative Root CA: An optional alternative root certificate (root-cert-alt.pem) for demonstrating different trust chains.
  • Citadel Intermediate Certificate and Key: The actual certificate (ca-cert.pem) and private key (ca-key.pem) used by Citadel to sign workload certificates. Citadel operates using this intermediate identity.
  • Certificate Chain: A file (cert-chain.pem) containing the ordered list of certificates required to verify the end-entity certificate back to the root.

Workload Certificates

In a plugin CA setup, the workloads within the Service mesh receive certificates signed by the Citadel Intermediate CA.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

These workload certificates typically include specific identity information, such as a Subject Alternative Name (SAN) formatted as a URI (e.g., spiffe://trust-domain-foo/ns/foo/sa/foo).^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

Configuration and Workflow

Operators can configure Citadel with these existing files to enable the plugin behavior^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md].

For testing and demonstration purposes, scripts are provided to generate sample workload certificates signed by the intermediate CA key.^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md]

  • Istio
  • [[Certificate Authority]]
  • SPIFFE
  • [[Zero Trust Network]]

Sources

  • 400-devops__07-Monitoring-and-Observability__k8s-istio__samples__certs__README.md