Hi,
I was able to make it work, but I have a question. Am I able to distinguish different clusters?
Let's say I have cluster A where is "server" running and I have cluster B and C for clients. All these clusters have CA certs from same root. So they trust each other. All these CA certs are issued for same subject Subject: O = k8s.cluster.local
mTLS cert for client in Cluster A has SAN (Subject Alternative Name)
URI:spiffe://cluster.local/ns/example/sa/example
and mTLS cert for client in Cluster B has same SAN. But I would like to authorize traffic just from Cluster A. Is it possible to change "domain" for istio & mTLS? To have CA certificate issued for
Subject: O = k8s.department-a-prod.company and the client cert SAN URI:spiffe://department-a-prod.company/ns/example/sa/example?
Hi, I was able to make it work, but I have a question. Am I able to distinguish different clusters?
Let's say I have cluster A where is "server" running and I have cluster B and C for clients. All these clusters have CA certs from same root. So they trust each other. All these CA certs are issued for same subject
Subject: O = k8s.cluster.local
mTLS cert for client in Cluster A has SAN (Subject Alternative Name)
and mTLS cert for client in Cluster B has same SAN. But I would like to authorize traffic just from Cluster A. Is it possible to change "domain" for istio & mTLS? To have CA certificate issued for
Subject: O = k8s.department-a-prod.company
and the client cert SANURI:spiffe://department-a-prod.company/ns/example/sa/example
?