Skip to content

Istio CSR overview

Istio CSR is a Kubernetes component for Next-Gen Trust Security that serves as an alternative to Istio's built-in CA server. Istio CSR uses cert-manager to authenticate, authorize, and sign certificate signing requests from Istio workloads.

Istio CSR provides the following key benefits:

  • Replaces Istio's built-in CA server by providing the same gRPC service interface while routing certificate signing through cert-manager.
  • Supports any cert-manager issuer so you can use any certificate authority that cert-manager supports for your Istio workload certificates.
  • Must be installed before Istio because Istio depends on a ConfigMap named istio-ca-root-cert that Istio CSR creates at startup.

By using Istio CSR, your Istio service mesh issues certificates through cert-manager instead of Istio's built-in CA.

To learn more about how Istio requests certificates, see Identity and certificate management in the Istio documentation.

What's next?

To get started, install Istio CSR in your cluster using Helm. For a version history, see the releases page.