Peer authentication is fundamental part of Istio’s zero-trust security model. By default, Istio creates a private key and self-signed root certificate, uses them to automatically sign and issue X.509 certificates to every workload, and help application make mutual TLS to secure service-to-service communication without code changes. In production environment, it is strongly recommended to issue the root CA from a PKI provider to enhance the security and provide more flexibility.

In this speech, Chaomeng will share a detailed practice of how cert-manager, a powerful and extensible X.509 certificate controller, help Istio build enhanced zero-trust network. That is how cert-manager simplify Istio root CA lifecycle management by automatically obtaining certificates from a specified PKI provider, and renewing certificates at a configured time before expiry to avoid any service downtime.