Istio: Assuming trust between clusters in the same mesh with different CAs

Working with Istio over the past year, having a single multi-cluster multi-network mesh worked fine until a cross-region scenario came up.

Assuming trust within the multi-cluster mesh worked well as it was using the same root CA (AWS Private CA), so workloads across networks were able to talk to each other.

However since AWS private CA is region specific it didn’t work for cross-region workloads on the same mesh. This article explains how to solve this problem by telling Istio to trust certificates from more than one root CA.

Use case

Run a Disaster recovery site (workload) in us-west-2 AWS region and deploy it on the same multi-cluster mesh in order to failover and failback traffic seamlessly during outages / disasters.

Problem

• We need Istio to trust two different root Certificate Authorities (CA) in the same mesh
• We were using the helm chart to install istio along with flux + kustomization, however there were no examples on how to securely pass the root CA certs for both clusters
• Istio’s documentation on this area is rather lacking and it took a lot of searching + experimentation to make it work