Topic Leader(s)
Topic Description
45m, Eric Multanen Subin John EMCO distribution of Istio CA certificates to target clusters
Topic Overview
Problem Statements:
- Geo distributed applications deployed as microservices and placed across multiple clusters have a number of requirements:
- TLS, Authentication, Authorization and Certificate enrollment is needed for communication security and authentication/authorization
- Coding per microservice is error prone, complex and inconsistent across various microservices
- A Service Mesh - such as Istio - provide a centralized and consistent mechanism for providing these capabilities to microservices
- Even with the benefits of a Service Mesh, additional challenges remain:
- Communication among microservices in different clusters is challenging and complex to configure. The certificate enrollments of each microservice in any cluster should have a common CA in order for mTLS communication between them to work. Multiple Istio service mesh in different clusters need to be configured with a common CA.
- For multi-tenant use cases, the service mesh needs to support multiple CAs. Again, configured for a given tenant consistently across multiple clusters.
EMCO is a geo-distributed application orchestrator designed to place and deploy complex applications across multiple clusters. This includes the capability to automate the configuration of the Istio service mesh to provide secure communications between application microservices within a cluster and between clusters.
This presentation will describe the EMCO capabilities being developed for enrolling and distributing common root CAs to each of the cluster Istio service meshes, including multiple Istio CA support for different tenants. This capability is the foundation for the automation of application microservice inter-cluster communications that is also automated by EMCO.
Slides & Recording
Informational Presentation
2022-06-14 -EMCO-dist-Istio-CA certificates.mp4
Agenda
Awesome presentation
- Point 1
- Point 2