Version 1.11

Configuring Anthos Service Mesh to use Certificate Authority Service

In addition to Mesh CA, you can configure Anthos Service Mesh to use Certificate Authority Service. This guide provides you an opportunity to integrate with CA Service, which we expect is suitable for the following use cases:

  • If you need different certificate authorities to sign workload certificates on different clusters.
  • If you need certificate authorities to sign workload certificates that chain up to a custom enterprise root.
  • If you need to back your signing keys in a Google-managed HSM.

The use of Mesh CA is included in the Anthos Service Mesh pricing. The CA Service isn't included in the base Anthos Service Mesh price and is charged separately. The CA Service is currently only supported by GKE-on-GCP (single project).

This guide describes how to integrate CA Service with a new installation of Anthos Service Mesh 1.11.2-asm.17 on GKE.

For this integration, all workloads in Anthos Service Mesh are granted two IAM roles:

Configure CA Service

Follow the steps in Get started to:

Additionally, if you have not already set up the CA pool, configure it using the following instructions:

  • Create the CA pool and have at least one active certificate authority in that CA pool in the same project as the GKE cluster. Use subordinate CA's to sign Anthos Service Mesh workload certificates. Note down the CA pool corresponding to the subordinate CA.
  • Ensure the CA pool is in the tier DevOps and in the same region as the cluster that it serves to avoid excessive latency issues or potential cross-region outages. For more information, see Workload-optimized tiers.
  • If it is meant to only service certificates for Anthos Service Mesh workloads, set up the following issuance policy for the CA pool:

    policy.yaml

      baselineValues:
      keyUsage:
        baseKeyUsage:
          digitalSignature: true
          keyEncipherment: true
        extendedKeyUsage:
          serverAuth: true
          clientAuth: true
      caOptions:
        isCa: false
    identityConstraints:
      allowSubjectPassthrough: false
      allowSubjectAltNamesPassthrough: true
      celExpression:
        expression: subject_alt_names.all(san, san.type == URI && san.value.startsWith("spiffe://PROJECT_ID.svc.id.goog/ns/") )
    

To update the CA pool's issuance policy, use the following command:

gcloud privateca pools update CA_POOL --location ca_region --issuance-policy policy.yaml

For information on setting a policy on a pool, see Using a certificate issuance policy.

Configure Anthos Service Mesh to use CA Service

  1. Install the Anthos Service Mesh control-plane that uses Certificate Authority Service as the CA:

    ./asmcli install \
      --project_id PROJECT_ID \
      --cluster_name CLUSTER_NAME \
      --cluster_location CLUSTER_LOCATION \
      --enable_all \
      --ca gcp_cas \
      --ca_pool projects/PROJECT_NAME/locations/ca_region/caPools/CA_POOL
    
  2. Install an ingress gateway to receive incoming or outgoing HTTP/TCP connections. For details, see Install Gateways.

  3. Complete the Anthos Service Mesh installation to enable automatic sidecar proxy injection on your workloads. For details, see Deploy and redeploy workloads.

What's next