Istio: Allow setting trust domain for Spiffe in Citadel also for pluggedIn CA-certificates
Describe the feature request
The --trust-domain option seems to be ignored when using a plugged in certificate (only used for self-signed):
https://github.com/istio/istio/blob/master/security/cmd/istio_ca/main.go#L428
I would be beneficial to be able to set the trust-domain also for plugin-certs, so that we don't always get cluster.local as the spiffe trust domain. This is especially true in multi-cluster environments where we wan't to identify workloads in different clusters based on the spiffe id (for authorization etc.).
Describe alternatives you've considered
Compiling my own patched version
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
eoftedal
>All comments
My organization at Microsoft actually hit this same issue. I also came to the same conclusion as you and created / tested my own patched version last week. Citadel came up healthy and multi cluster trust domains w/ intermediate certificates worked in cross cluster RBAC scenarios.
cart
on 16 Sep 2019
Related issues
2dev2
路
3Comments
jilpansi
路
4Comments
douglas-reid
路
3Comments
ZackButcher
路
4Comments
PigNatovsky
路
3Comments
Most helpful comment
My organization at Microsoft actually hit this same issue. I also came to the same conclusion as you and created / tested my own patched version last week. Citadel came up healthy and multi cluster trust domains w/ intermediate certificates worked in cross cluster RBAC scenarios.