Enable custom certificate and secure default of Istio CA

[TorstenD-SAP]

Description

The customer should be able to bring his own certificate to be used by Istio to create the CA. If no customer certificate is provided, Kyma has to issue a new certificate and provide it to Istio to create the CA.

Reasons

Compliance with internal SAP standards.

DoD:

• [ ] Provide unit and integration tests.
• [ ] Provide documentation.
• [ ] Verify if the solution works for both open-source Kyma and SAP BTP, Kyma runtime.
• [ ] If you changed the resource limits, explain why it was needed.
• [ ] If the default configuration of Istio Operator has been changed, you performed a manual upgrade test to verify that the change can be rolled out correctly.
• [ ] Verify that your contributions don't decrease code coverage. If they do, explain why this is the case.
• [ ] Add release notes.

Attachments

[strekm]

we've ran small POC to better understand how we can support it. For existing installation this operation means downtime and should be scheduled during maintenance window. Secret with cert needs to be provided and istio and worklads restarted.