このページは、まだ日本語ではご利用いただけません。翻訳中です。
    
  
          
          
          
          
          Certificate Authority rotation
            
            
              
                
                
              
            
          
          
          
          
          Overview
Kong Mesh lets you provide secure communication between applications with mTLS. You can change the mTLS backend with 
Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA.
You can define many backends in the mtls section of the Mesh configuration. The data plane proxy is configured to support 
certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the enabledBackend 
tag. For example:
  
  
  
  
  
    
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
    - name: ca-1
      type: builtin
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key
 
  
  
    
type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
  - name: ca-1
    type: builtin
  - name: ca-2
    type: provided
    conf:
      cert:
        secret: ca-2-cert
      key:
        secret: ca-2-key
 
   
 
Usage
Start with mTLS enabled and a builtin backend named ca-1:
  
  
  
  
  
    
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
      - name: ca-1
        type: builtin
 
  
  
    
type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
  - name: ca-1
    type: builtin
 
   
 
Then, follow the steps to rotate certificates to a new provided backend named ca-2.
Each step can take some time, but Kong Mesh provides validators to prevent you from 
continuing too soon.
  
  
  
  
  
    
  - 
    Add a new backend to the list of backends: 
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
    - name: ca-1
      type: builtin
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key
 
 After the configuration finishes, all data plane proxies support CAs from ca-1andca-2.
But the data plane proxy certificates are still signed by the CA fromca-1.
 
- 
    Change enabledBackendto the new backend:
 
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-2
    backends:
    - name: ca-1
      type: builtin
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key
 
 After the configuration finishes, the data plane proxy certificates are signed by the CA from ca-2.
The data plane proxies still support CAs fromca-1andca-2.
 
- 
    Remove the old backend: 
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-2
    backends:
    - name: ca-2
      type: provided
      conf:
        cert:
          secret: ca-2-cert
        key:
          secret: ca-2-key
 
 After the configuration finishes, the data plane proxy certificates should still be signed by the CA from ca-2.
But the data plane proxies no longer support the CA fromca-1.
 
 
  
  
    
  - 
    Add a new backend to the list of backends: 
type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
  - name: ca-1
    type: builtin
  - name: ca-2
    type: provided
    conf:
      cert:
        secret: ca-2-cert
      key:
        secret: ca-2-key
 
 After the configuration finishes, all data plane proxies support CAs from ca-1andca-2.
But the data plane proxy certificates are still signed by the CA fromca-1.
 
- 
    Change enabledBackendto the new backend:
 
type: Mesh
name: default
mtls:
  enabledBackend: ca-2
  backends:
  - name: ca-1
    type: builtin
  - name: ca-2
    type: provided
    conf:
      cert:
        secret: ca-2-cert
      key:
        secret: ca-2-key
 
 After the configuration finishes, the data plane proxy certificates are signed by the CA from ca-2.
The data plane proxies still support CAs fromca-1andca-2.
 
- 
    Remove the old backend: 
type: Mesh
name: default
mtls:
  enabledBackend: ca-2
  backends:
  - name: ca-2
    type: provided
    conf:
      cert:
        secret: ca-2-cert
      key:
        secret: ca-2-key
 
 After the configuration finishes, the data plane proxy certificates should still be signed by the CA from ca-2.
But the data plane proxies no longer support the CA fromca-1.