Configuring Anthos Service Mesh to use CA Service

Warning: This preview of the Certificate Authority Service (CA Service) integration with Anthos Service Mesh is meant for experimentation only. We do not recommend using the preview version of CA Service in a production environment. Backward incompatible changes to CA Service are planned in April. When the preview ends:

The preview CA Service will be shutdown and all CA instances will be deleted.
When the updated CA Service is available, you will have to recreate your CAs and upgrade Anthos Service Mesh to configure it to use CA Service.
The documentation for how to create a CA using CA Service and how to set up the integration will change.

This feature is covered by the Pre-GA Offerings Terms of the Google Cloud Platform Terms of Service. Pre-GA features may have limited support, and changes to pre-GA features may not be compatible with other pre-GA versions. For more information, see the launch stage descriptions.

In addition to Mesh CA, you can configure Anthos Service Mesh to use Certificate Authority Service. This preview provides you an opportunity to experiment with CA Service, which we expect will be suitable for the following use cases:

If you need different certificate authorities to sign workload certificates on different clusters.
If you need certificate authorities to sign workload certificates that chain up to a custom enterprise root.
If you need to back your signing keys in a Google-managed HSM.

The use of Mesh CA is included in the Anthos Service Mesh pricing. The CA Service isn't included in the base Anthos Service Mesh price. CA Service is free during the preview period.

This guide describes how to integrate CA Service with a new installation of Anthos Service Mesh 1.10.6-asm.2 on GKE.

Setting up CA Service

When setting up CA Service to prepare for the integration with Anthos Service Mesh, we recommend the following:

Create the CA in the same project as the GKE cluster.
Set up one subordinate CA per GKE cluster.
Create the subordinate CA in the same Google Cloud region as the cluster.

To get started using CA Service, see the CA Service Quickstart.

Configuring Anthos Service Mesh to use CA Service

Download the Anthos Service Mesh kpt package:

kpt pkg get \
https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm@release-1.10-asm asm

Give Anthos Service Mesh permission to use the CA Service to create workload certificates. Replace the placeholder values in the commands with the following:
- SUB_CA_ID: The name of the subordinate CA that you created.
- CA_LOCATION: The location where the subordinate CA was created.
- PROJECT_ID: The project ID of the project that you created the CA in.
```
gcloud beta privateca subordinates add-iam-policy-binding "SUB_CA_ID" \
    --location="CA_LOCATION" \
    --project="PROJECT_ID" \
    --member="serviceAccount:PROJECT_ID.svc.id.goog[istio-system/istiod-service-account]" \
    --role="roles/privateca.certificateManager"
```
Configure the Anthos Service Mesh kpt package to use the subordinate CA for the cluster. The following steps modify the asm/istio/options/private-ca.yaml file.
1. Set the CA name:
```
kpt cfg set asm anthos.servicemesh.external_ca.ca_name projects/PROJECT_ID/locations/CA_LOCATION/certificateAuthorities/SUB_CA_ID
```
2. Set the project ID:
```
kpt cfg set asm gcloud.core.project PROJECT_ID
```

Follow the steps in Installing Anthos Service Mesh on GKE to use a Google-provided script to install Anthos Service Mesh. When you run the script, include the following option:

--option private-ca

For example:

./install_asm \
  --project_id PROJECT_ID \
  --cluster_name CLUSTER_NAME \
  --cluster_location CLUSTER_LOCATION \
  --mode install \
  --enable_all \
  --option private-ca

Complete the Anthos Service Mesh installation to enable automatic sidecar proxy injection on your workloads. For details, see Deploying and redeploying workloads.

What's next

Deploying the Online Boutique sample application