This guide demonstrates how to use the MeshRootCertificate preview feature with the OSM CLI.
WARNING: This feature is currently in preview and requires the
EnableMeshRootCertificate
feature flag enabled in the MeshConfig.
Prerequisites
- Kubernetes cluster running Kubernetes v1.22.9 or greater.
- Have
kubectl
available to interact with the API server. - Have
osm
CLI available for installing and managing the service mesh. - Have
openssl
available to view certificate information.
Demo
The following demo shows how to use the OSM CLI to initiate a root certificate rotation using the Tresor certificate provider. Learn more about this process in the Certificate Rotation documentation.
-
Install OSM with the
EnableMeshRootCertificate
feature flag set to true. -
Check that the default
MeshRootCertificate
was created and the role isactive
:Confirm that a Secret was created with the root certificate:
Take note of the modulus of the original certificate:
-
Enable permissive traffic policy mode to set up automatic application connectivity.
Note: This is not a requirement to use
MeshRootCertificate
, but simplifies the demo by not requiring explicit traffic policies for application connectivity. -
Deploy the
httpbin
service into thehttpbin
namespace after enrolling its namespace to the mesh. Thehttpbin
service runs on port14001
.Confirm the
httpbin
service and pods are up and running. -
Deploy the
curl
client into thecurl
namespace after enrolling its namespace to the mesh.Confirm the
curl
client pod is up and running. -
Confirm the
curl
client is able to access thehttpbin
service on port14001
.A
200 OK
response indicates the HTTP request from thecurl
client to thehttpbin
service was successful. The traffic between the application sidecar proxies is encrypted and authenticated using mutual TLS (mTLS) by leverging the initial root certificate. -
Rotate the root certificate
MeshRootCertificate
using the OSM command: -
Confirm that there is only one active MRC and the certificates are different.
Confirm that a Secret was created with the root certificate:
Take note of the modulus of the new certificate (it will be different from the original):
View the certificate modulus being used by the
httpbin
service (it will be the same as the new certificate): -
Confirm the
curl
client is able to access thehttpbin
service on port14001
.A
200 OK
response indicates the HTTP request from thecurl
client to thehttpbin
service was successful. The traffic between the application sidecar proxies is encrypted and authenticated using mTLS by leveraging the new root certificate.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.