Provision a certificate and key for an application without sidecars

Istio sidecars obtain their certificates using the secret discovery service. A service in the service mesh may not need (or want) an Envoy sidecar to handle its traffic. In this case, the service will need to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services.

For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be deployed only to provision the private key and certificates through the CSR flow from the CA and then share the certificate with the service through a mounted file in tmpfs. We have used Prometheus as our example application for provisioning a certificate using this mechanism.

In the example application (i.e., Prometheus), a sidecar is added to the Prometheus deployment by setting the flag .Values.prometheus.provisionPrometheusCert to true (this flag is set to true by default in an Istio installation). This deployed sidecar will then request and share a certificate with Prometheus.

The key and certificate provisioned for the example application are mounted in the directory /etc/istio-certs/. We can list the key and certificate provisioned for the application by running the following command:

$ kubectl exec -it `kubectl get pod -l app=prometheus -n istio-system -o jsonpath='{.items[0].metadata.name}'` -c prometheus -n istio-system -- ls -la /etc/istio-certs/

The output from the above command should include non-empty key and certificate files, similar to the following:

-rwxr-xr-x    1 root     root          2209 Feb 25 13:06 cert-chain.pem
-rwxr-xr-x    1 root     root          1679 Feb 25 13:06 key.pem
-rwxr-xr-x    1 root     root          1054 Feb 25 13:06 root-cert.pem

If you want to use this mechanism to provision a certificate for your own application, take a look at our Prometheus example application and simply follow the same pattern.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!