In addition to Mesh CA, you can configure Anthos Service Mesh to use Certificate Authority Service. This preview provides you an opportunity to experiment with CA Service, which we expect will be suitable for the following use cases:
- If you need different certificate authorities to sign workload certificates on different clusters.
- If you need certificate authorities to sign workload certificates that chain up to a custom enterprise root.
- If you need to back your signing keys in a Google-managed HSM.
The use of Mesh CA is included in the Anthos Service Mesh pricing. The CA Service isn't included in the base Anthos Service Mesh price. CA Service is free during the preview period.
This guide describes how to integrate CA Service with a new installation of Anthos Service Mesh 1.9.5-asm.2 on GKE.
Setting up CA Service
When setting up CA Service to prepare for the integration with Anthos Service Mesh, we recommend the following:
- Create the CA in the same project as the GKE cluster.
- Set up one subordinate CA per GKE cluster.
- Create the subordinate CA in the same Google Cloud region as the cluster.
To get started using CA Service, see the CA Service Quickstart.
Configuring Anthos Service Mesh to use CA Service
Download the Anthos Service Mesh
kpt pkg get \ https://github.com/GoogleCloudPlatformemail@example.com asm
Give Anthos Service Mesh permission to use the CA Service to create workload certificates. Replace the placeholder values in the commands with the following:
SUB_CA_ID: The name of the subordinate CA that you created.
CA_LOCATION: The location where the subordinate CA was created.
PROJECT_ID: The project ID of the project that you created the CA in.
gcloud beta privateca subordinates add-iam-policy-binding "SUB_CA_ID" \ --location="CA_LOCATION" \ --project="PROJECT_ID" \ --member="serviceAccount:PROJECT_ID.svc.id.goog[istio-system/istiod-service-account]" \ --role="roles/privateca.certificateManager"
Configure the Anthos Service Mesh
kptpackage to use the subordinate CA for the cluster. The following steps modify the
Set the CA name:
kpt cfg set asm anthos.servicemesh.external_ca.ca_name projects/PROJECT_ID/locations/CA_LOCATION/certificateAuthorities/SUB_CA_ID
Set the project ID:
kpt cfg set asm gcloud.core.project PROJECT_ID
Follow the steps in Installing Anthos Service Mesh on GKE to use a Google-provided script to install Anthos Service Mesh. When you run the script, include the following option:
./install_asm \ --project_id PROJECT_ID \ --cluster_name CLUSTER_NAME \ --cluster_location CLUSTER_LOCATION \ --mode install \ --enable_all \ --option private-ca
Complete the Anthos Service Mesh installation to enable automatic sidecar proxy injection on your workloads. For details, see Deploying and redeploying workloads.