• istio_ca
    • istio_ca probe
    • istio_ca version
    • Environment variables
    • Exported metrics

    istio_ca

    Istio Certificate Authority (CA).

    1. istio_ca [flags]
    FlagsDescription
    —append-dns-namesAppend DNS names to the certificates for webhook services.
    —cert-chain <string>Path to the certificate chain file. (default )</td></tr><tr><td><code>--citadel-storage-namespace &lt;string&gt;</code></td><td>Namespace where the Citadel pod is running. Will not be used if explicit file or other storage mechanism is specified. (default `istio-system`)</td></tr><tr><td><code>--ctrlz_address &lt;string&gt;</code></td><td>The IP Address to listen on for the ControlZ introspection facility. Use &#39;*&#39; to indicate all addresses. (default `localhost`)</td></tr><tr><td><code>--ctrlz_port &lt;uint16&gt;</code></td><td>The IP port to use for the ControlZ introspection facility (default `9876`)</td></tr><tr><td><code>--custom-dns-names &lt;string&gt;</code></td><td>The list of account.namespace:customdns names, separated by comma. (default)
    —enable-profilingEnabling profiling when monitoring Citadel.
    —experimental-dual-useEnable dual-use mode. Generates certificates with a CommonName identical to the SAN.
    —grpc-host-identities <string>The list of hostnames for istio ca server, separated by comma. (default istio-ca,istio-citadel)
    —grpc-port <int>The port number for Citadel GRPC server. If unspecified, Citadel will not serve GRPC requests. (default 8060)
    —key-size <int>Size of generated private key. (default 2048)
    —kube-config <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default )</td></tr><tr><td><code>--listened-namespaces &lt;string&gt;</code></td><td>Select the namespaces for the Citadel to listen to, separated by comma. If unspecified, Citadel tries to use the ${NAMESPACE} environment variable. If neither is set, Citadel listens to all namespaces. (default)
    —liveness-probe-interval <duration>Interval of updating file for the liveness probe. (default 0s)
    —liveness-probe-path <string>Path to the file for the liveness probe. (default )</td></tr><tr><td><code>--log_as_json</code></td><td>Whether to format output as JSON or in plain console-friendly format</td></tr><tr><td><code>--log_caller &lt;string&gt;</code></td><td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default)
    —log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,… where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default default:info)
    —log_rotate <string>The path for the optional rotating log file (default )</td></tr><tr><td><code>--log_rotate_max_age &lt;int&gt;</code></td><td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td></tr><tr><td><code>--log_rotate_max_backups &lt;int&gt;</code></td><td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td></tr><tr><td><code>--log_rotate_max_size &lt;int&gt;</code></td><td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td></tr><tr><td><code>--log_stacktrace_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td></tr><tr><td><code>--log_target &lt;stringArray&gt;</code></td><td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td></tr><tr><td><code>--max-workload-cert-ttl &lt;duration&gt;</code></td><td>The max TTL of issued workload certificates. (default `2160h0m0s`)</td></tr><tr><td><code>--monitoring-port &lt;int&gt;</code></td><td>The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring. (default `15014`)</td></tr><tr><td><code>--org &lt;string&gt;</code></td><td>Organization for the certificate. (default)
    —pkcs8-keysWhether to generate PKCS#8 private keys.
    —probe-check-interval <duration>Interval of checking the liveness of the CA. (default 30s)
    —read-signing-cert-onlyWhen set, Citadel only reads the self-signed signing cert and key from Kubernetes secret without generating one (if not exist). This flag avoids racing condition between multiple Citadels generating self-signed key and cert. Please make sure one and only one Citadel instance has this flag set to false.
    —requested-ca-cert-ttl <duration>The requested TTL for the CA certificate. (default 8760h0m0s)
    —root-cert <string>Path to the root certificate file. (default )</td></tr><tr><td><code>--sds-enabled</code></td><td>Whether SDS is enabled.</td></tr><tr><td><code>--self-signed-ca</code></td><td>Indicates whether to use auto-generated self-signed CA certificate. When set to true, the &#39;--signing-cert&#39; and &#39;--signing-key&#39; options are ignored.</td></tr><tr><td><code>--server-only</code></td><td>When set, Citadel only serves as a server without writing the Kubernetes secrets.</td></tr><tr><td><code>--sign-ca-certs</code></td><td>Whether Citadel signs certificates for other CAs.</td></tr><tr><td><code>--signing-cert &lt;string&gt;</code></td><td>Path to the CA signing certificate file. (default)
    —signing-key <string>Path to the CA signing key file. (default )</td></tr><tr><td><code>--trust-domain &lt;string&gt;</code></td><td>The domain serves to identify the system with SPIFFE. (default)
    —upstream-ca-address <string>The IP:port address of the upstream CA. When set, the CA will rely on the upstream Citadel to provision its own certificate. (default `)</td></tr><tr><td><code>--workload-cert-grace-period-ratio &lt;float32&gt;</code></td><td>The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default0.5)</td></tr><tr><td><code>--workload-cert-ttl &lt;duration&gt;</code></td><td>The TTL of issued workload certificates. (default2160h0m0s`)

    istio_ca probe

    Check the liveness or readiness of a locally-running server

    1. istio_ca probe [flags]
    FlagsDescription
    —ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default localhost)
    —ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
    —interval <duration>Duration used for checking the target file's last modified time. (default 0s)
    —log_as_jsonWhether to format output as JSON or in plain console-friendly format
    —log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td>The path for the optional rotating log file (default)
    —log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
    —log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
    —log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
    —log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
    —log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
    —probe-path <string>Path of the file for checking the availability. (default ``)

    istio_ca version

    Prints out build version information

    1. istio_ca version [flags]
    FlagsShorthandDescription
    —ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default localhost)
    —ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default 9876)
    —log_as_jsonWhether to format output as JSON or in plain console-friendly format
    —log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default )</td></tr><tr><td><code>--log_output_level &lt;string&gt;</code></td><td></td><td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td></tr><tr><td><code>--log_rotate &lt;string&gt;</code></td><td></td><td>The path for the optional rotating log file (default)
    —log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
    —log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
    —log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
    —log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,… where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default default:none)
    —log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
    —output <string>-oOne of 'yaml' or 'json'. (default ``)
    —short-sUse —short=false to generate full version information

    Environment variables

    These environment variables affect the behavior of the istio_ca command.

    Variable NameTypeDefault ValueDescription
    CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATORBooleantrueIf true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.
    CITADEL_ENABLE_NAMESPACES_BY_DEFAULTBooleantrueDetermines whether unlabeled namespaces should be targeted by this Citadel instance
    CITADEL_SELF_SIGNED_CA_CERT_TTLTime Duration87600h0m0sThe TTL of self-signed CA root certificate.
    CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVALTime Duration1h0m0sThe interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.
    CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILEInteger20Grace period percentile for self-signed root cert.
    CITADEL_WORKLOAD_CERT_MIN_GRACE_PERIODTime Duration10m0sThe minimum workload certificate rotation grace period.
    NAMESPACEString

    Exported metrics

    Metric NameTypeDescription
    citadel_secret_controller_csr_err_countSumThe number of errors occurred when creating the CSR.
    citadel_secret_controller_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
    citadel_secret_controller_secret_deleted_cert_countSumThe number of certificates recreated due to secret deletion (service account still exists).
    citadel_secret_controller_svc_acc_created_cert_countSumThe number of certificates created due to service account creation.
    citadel_secret_controller_svc_acc_deleted_cert_countSumThe number of certificates deleted due to service account deletion.
    citadel_server_authentication_failure_countSumThe number of authentication failures.
    citadel_server_csr_countSumThe number of CSRs received by Citadel server.
    citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.
    citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.
    citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
    citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
    citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.
    istio_buildLastValueIstio component build info