Anthos Service Mesh 1.10 has reached end of life and is no longer supported. See Upgrading from earlier versions.

View the latest documentation or select another available version:

Configuring Anthos Service Mesh to use CA Service

In addition to Mesh CA, you can configure Anthos Service Mesh to use Certificate Authority Service. This preview provides you an opportunity to experiment with CA Service, which we expect will be suitable for the following use cases:

  • If you need different certificate authorities to sign workload certificates on different clusters.
  • If you need certificate authorities to sign workload certificates that chain up to a custom enterprise root.
  • If you need to back your signing keys in a Google-managed HSM.

The use of Mesh CA is included in the Anthos Service Mesh pricing. The CA Service isn't included in the base Anthos Service Mesh price. CA Service is free during the preview period.

This guide describes how to integrate CA Service with a new installation of Anthos Service Mesh 1.10.6-asm.2 on GKE.

Setting up CA Service

When setting up CA Service to prepare for the integration with Anthos Service Mesh, we recommend the following:

  • Create the CA in the same project as the GKE cluster.
  • Set up one subordinate CA per GKE cluster.
  • Create the subordinate CA in the same Google Cloud region as the cluster.

To get started using CA Service, see the CA Service Quickstart.

Configuring Anthos Service Mesh to use CA Service

  1. Download the Anthos Service Mesh kpt package:

    kpt pkg get \ asm
  2. Give Anthos Service Mesh permission to use the CA Service to create workload certificates. Replace the placeholder values in the commands with the following:

    • SUB_CA_ID: The name of the subordinate CA that you created.
    • CA_LOCATION: The location where the subordinate CA was created.
    • PROJECT_ID: The project ID of the project that you created the CA in.
    gcloud beta privateca subordinates add-iam-policy-binding "SUB_CA_ID" \
        --location="CA_LOCATION" \
        --project="PROJECT_ID" \
        --member="[istio-system/istiod-service-account]" \
  3. Configure the Anthos Service Mesh kpt package to use the subordinate CA for the cluster. The following steps modify the asm/istio/options/private-ca.yaml file.

    1. Set the CA name:

      kpt cfg set asm anthos.servicemesh.external_ca.ca_name projects/PROJECT_ID/locations/CA_LOCATION/certificateAuthorities/SUB_CA_ID
    2. Set the project ID:

      kpt cfg set asm gcloud.core.project PROJECT_ID
  4. Follow the steps in Installing Anthos Service Mesh on GKE to use a Google-provided script to install Anthos Service Mesh. When you run the script, include the following option:

    --option private-ca

    For example:

    ./install_asm \
      --project_id PROJECT_ID \
      --cluster_name CLUSTER_NAME \
      --cluster_location CLUSTER_LOCATION \
      --mode install \
      --enable_all \
      --option private-ca
  5. Complete the Anthos Service Mesh installation to enable automatic sidecar proxy injection on your workloads. For details, see Deploying and redeploying workloads.

What's next