Home / Kong Mesh
Edit
Report

Certificate Authority rotation

Uses: Kong Mesh
Related Documentation
All Mesh Documentation
Tags
#mtls #certificates
Related Resources
HashiCorp Vault CA
Kubernetes cert-manager CA policy
ACM Private CA Policy
Multi-zone Authentication
Kong Mesh enterprise features

Kong Mesh lets you provide secure communication between applications with mTLS. You can change the mTLS backend with Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA.

You can define many backends in the mtls section of the Mesh configuration. The Data Plane proxy is configured to support certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the enabledBackend tag. For example:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
    - name: ca-1
      type: builtin
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key

CA rotation usage

Start with mTLS enabled and a builtin backend named ca-1:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
      - name: ca-1
        type: builtin

Then, follow the steps to rotate certificates to a new provided backend named ca-2. Each step can take some time, but Kong Mesh provides validators to prevent you from continuing too soon.

  1. Add a new backend to the list of backends:

    apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
    - name: ca-1
      type: builtin
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key

    After the configuration finishes, all Data Plane proxies support CAs from ca-1 and ca-2. But the Data Plane proxy certificates are still signed by the CA from ca-1.

  2. Change enabledBackend to the new backend:

    apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-2
    backends:
    - name: ca-1
      type: builtin
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key

    After the configuration finishes, the Data Plane proxy certificates are signed by the CA from ca-2. The Data Plane proxies still support CAs from ca-1 and ca-2.

  3. Remove the old backend:

    apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-2
    backends:
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key

    After the configuration finishes, the Data Plane proxy certificates should still be signed by the CA from ca-2. But the Data Plane proxies no longer support the CA from ca-1.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support