This section describes how to update the custom CA certificates that Istio uses for intra-cluster encryption in transit in some scenarios.
You must always create a new full chain certificate file (cert-chain.pem).
|
Tip
|
Domino recommends backing up existing certificates and keys before updating new ones. |
Scenario 1: No changes were made to the private key and common name
This assumes only ca-cert.pem is updated.
Create a secret with the new files and restart the Istio daemon (istiod).
# Delete existing secret with CA cert files
kubectl -n istio-system delete secret cacerts
# Create new secret with CA cert files
kubectl -n istio-system create secret generic cacerts
--from-file=./ca-cert.pem
--from-file=./ca-key.pem
--from-file=./root-cert.pem
--from-file=./cert-chain.pem
# Restarting all istiod pods
kubectl -n istio-system delete po -l app=istiodScenario 2: Updates were made to the private key, common name, or upstream certificates
Changes made to the private key, common name (CN) or upstream certificates require that you recreate the cacerts secret and restart the Istio daemon.
# Delete existing secret with CA cert files
kubectl -n istio-system delete secret cacerts
# Create new secret with CA cert files
kubectl -n istio-system create secret generic cacerts
--from-file=./ca-cert.pem
--from-file=./ca-key.pem
--from-file=./root-cert.pem
--from-file=./cert-chain.pem
# Full restart for all Istio pods
for NS in istio-system domino-platform domino-compute; do
kubectl -n $NS get po --no-headers -o custom-columns=name:metadata.name | xargs kubectl -n $NS delete po
done