In-place CA Migration
Stay organized with collections
Save and categorize content based on your preferences.
If your mesh has multiple clusters with workloads that send requests to workloads on another cluster, then follow all steps in this guide for all the clusters.
Use the steps in this guide for the following use case:
- Migrate an in-cluster Cloud Service Mesh v1.13 or later control plane with Mesh CA to Certificate Authority Service.
- Migrate a managed Cloud Service Mesh control plane on a release channel that maps to v1.13 or later with Mesh CA to Certificate Authority Service.
In-place CA migrations and upgrades are only supported from Cloud Service Mesh v1.13 or later. For managed control plane migrations, ensure the chosen channel maps to v1.13 or later.
Before following the steps in this guide, ensure you have:
Additionally, ensure you are currently on Cloud Service Mesh v1.13 or later.
Required tools
During the migration, you run a Google-provided tool, migrate_ca
. This tool
has the following dependencies:
Before downloading the migrate_ca
tool, follow the steps in
Prepare for your migration.
Overview of the migration
During the migration process, authentication and authorization are fully functional between workloads using the previous CA and workloads using the new CA.
The migrate_ca
migration tool will create a Kubernetes configuration map to
track the status of CA migration per installed Cloud Service Mesh revision/channel.
This is a privileged resource installed in the istio-system
apiVersion: v1
kind: ConfigMap
Name: asm-ca-migration-<revision>
The migration tool will backup the Istio MeshConfig config map before amending
it and attempts to migrate the CA configuration using the
CRD when possible.
The following is an outline of the CA migration:
Prepare for your migration
Download the
bash tool:curl > migrate_ca
Make the tool executable:
chmod +x migrate_ca
Set up the working directory:
./migrate_ca setup --output_dir
OUTPUT_DIR Change the working directory to the OUTPUT_DIR specified in the previous step
OUTPUT_DIR Run the following command to ensure that all of the prerequisites are met:
./migrate_ca check-prerequisites
Make note of the revision (
) of the control plane associated with the previous CA that is being migrated. The steps required depend on the type of control plane, either in-cluster or managed.ASM_REVISION asm-revision=$(kubectl get deploy -n istio-system -l app=istiod -o \ "jsonpath={.items[*].metadata.labels[istio\.io/rev']}{'\n'}")
Refer to the channel already installed.
Since the in-place CA migration requires you to restart your workloads, ensure that the Pod Disruption Budget is correctly configured and all applications whose CA needs to be migrated have more than one running Pod.
Ensure that the cluster is already registered to a fleet and that workload-identity is enabled on the cluster. Then, make note of the fleet project ID as (
) for future steps.FLEET_ID The tool accepts
to select the cluster where the operations are performed. If these arguments are not passed in, then the default context/config are used.To add the credentials of a GKE cluster to the
, use the following command:gcloud container clusters get-credentials
CLUSTER_NAME To change the current
context or to pass context to the tool, use the following command:kubectl config get-contexts kubectl config use-context
Initialize the new CA
The steps required to initialize the new CA depend on the new CA to which you are migrating. Perform these steps in every fleet cluster where you want to migrate the CA.
Call the utility tool
sub-command.If you are specifying custom Kubernetes configurations:
./migrate_ca initialize --kubeconfig
KUBECONFIG --kubecontextKUBECONTEXT --ca mesh_ca --old_caOLD_CA_TYPE \ --fleet_idFLEET_ID --revisionASM_REVISION Otherwise:
./migrate_ca initialize --ca mesh_ca --old_ca
OLD_CA_TYPE \ --fleet_idFLEET_ID --revisionASM_REVISION ```a. Follow the steps required to initialize Certificate Authority Service. Make note of the
.CA_POOL b. Call the utility tool
sub-command:If you are specifying custom Kubernetes configurations:
./migrate_ca initialize --kubeconfig
KUBECONFIG --contextKUBECONTEXT --ca gcp_cas --ca-poolCA_POOL --ca-oldOLD_CA_TYPE \ --fleet-idFLEET_ID --revisionASM_REVISION Otherwise:
./migrate_ca initialize --ca gcp_cas --ca-pool
CA_POOL --ca-oldOLD_CA_TYPE \ --fleet-idFLEET_ID --revisionASM_REVISION
Add mesh-wide trustAnchors for all clusters in the fleet
Repeat the steps below for both the new CA and old CA for all clusters that are part of the fleet.
Download the trustAnchors of the CA:
./migrate_ca download-trust-anchor --ca mesh_ca --ca_cert
ROOT_CERT.pem Store the CA certificate in a file:
gcloud privateca pools get-ca-certs
POOL_NAME --location=POOL_REGION --project=POOL_PROJECT --output-fileROOT_CERT.pem Add trustAnchors of the CA:
./migrate-ca add-trust-anchor --ca_cert
ROOT_CERT.pem Verify that the trustAnchors have been received by all workloads in the fleet. In the namespaces argument, pass all the namespaces where workloads are deployed:
./migrate-ca check-trust-anchor --ca_cert
ROOT_CERT.pem --namespacesNAMESPACES Expected output:
Check the CA cert in namespace nsa-1-24232 a-v1-597f875788-52c5t.nsa-1-24232 trusts root-cert.pem
Migrate the CA
Migrate the CA configuration. The command required depends on the new CA to which you are migrating.
./migrate_ca migrate-ca --ca mesh_ca
./migrate_ca migrate-ca --ca gcp_cas --ca_pool
CA_POOL Restart all the workloads.
To minimize the risk of TLS traffic downtime, this step should impact the smallest number of workloads first. Only restart workloads that are associated with the control plane revision ASM_REVISION. For example, if all workloads in kubernetes namespace NAMESPACE are associated with the same Cloud Service Mesh control plane.
kubectl rollout restart deployment -n
NAMESPACE Verify that mTLS connections work between workloads in the restarted namespace and other workloads before repeating steps 1 and 2 for all namespaces and for all clusters that are part of the fleet. If newer workloads are coming up and mesh traffic is not interrupted, repeat steps 1 and 2 for all namespaces and clusters that are a part of the fleet. Otherwise, proceed to perform a rollback to rollback the newer CA configuration.
Verify that the new CA configuration is being used by all workloads:
./migrate_ca verify-ca --ca_cert
ROOT_CERT.pem --namespacesNAMESPACES Expected output:
Check the CA configuration in namespace nsb-2-76095 b-v1-8ff557759-pds69.nsb-2-76095 is signed by root-cert.pem
Perform a rollback
Roll back the CA configuration and remove the newly configured trustAnchors:
./migrate-ca rollback
Restart all the workloads. Ensure to only restart workloads that are associated with the control plane revision ASM_REVISION. For instance, if all workloads in kubernetes namespace NAMESPACES are associated with the same Cloud Service Mesh control plane.
kubectl rollout restart deployment -n
NAMESPACES (Optional) Verify that the older CA configuration is being used by all workloads.
./migrate-ca verify-ca --ca_cert older-root-cert.pem
Repeat steps 1-3 for all clusters in the fleet where workloads use the ASM_REVISION control plane.
Congratulations! You've successfully performed an in-place CA migration.