Istio Certificate Authority (CA)
istio_ca [flags]
| Flags | Description |
|---|---|
--append-dns-names |
Append DNS names to the certificates for webhook services. |
--cert-chain <string> |
Path to the certificate chain file (default ``) |
--citadel-storage-namespace <string> |
Namespace where the Citadel pod is running. Will not be used if explicit file or other storage mechanism is specified. (default `istio-system`) |
--custom-dns-names <string> |
The list of account.namespace:customdns names, separated by comma. (default ``) |
--enable-profiling |
Enabling profiling when monitoring Citadel. |
--grpc-host-identities <string> |
The list of hostnames for istio ca server, separated by comma. (default `istio-ca,istio-citadel`) |
--grpc-hostname <string> |
DEPRECATED, use --grpc-host-identites. (default `istio-ca`) |
--grpc-port <int> |
The port number for Citadel GRPC server. If unspecified, Citadel will not serve GRPC requests. (default `8060`) |
--key-size <int> |
Size of generated private key (default `2048`) |
--kube-config <string> |
Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``) |
--listened-namespace <string> |
Select a namespace for the CA to listen to. If unspecified, Citadel tries to use the ${NAMESPACE} environment variable. If neither is set, Citadel listens to all namespaces. (default ``) |
--liveness-probe-interval <duration> |
Interval of updating file for the liveness probe. (default `0s`) |
--liveness-probe-path <string> |
Path to the file for the liveness probe. (default ``) |
--log_as_json |
Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> |
Comma-separated list of scopes for which to include called information, scopes can be any of [default] (default ``) |
--log_output_level <string> |
The minimum logging level of messages to output, can be one of [debug, info, warn, error, none] (default `default:info`) |
--log_rotate <string> |
The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> |
The minimum logging level at which stack traces are captured, can be one of [debug, info, warn, error, none] (default `default:none`) |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--max-workload-cert-ttl <duration> |
The max TTL of issued workload certificates (default `2160h0m0s`) |
--monitoring-port <int> |
The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring. (default `9093`) |
--org <string> |
Organization for the cert (default ``) |
--probe-check-interval <duration> |
Interval of checking the liveness of the CA. (default `30s`) |
--requested-ca-cert-ttl <duration> |
The requested TTL for the workload (default `8760h0m0s`) |
--root-cert <string> |
Path to the root certificate file (default ``) |
--self-signed-ca |
Indicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored. |
--self-signed-ca-cert-ttl <duration> |
The TTL of self-signed CA root certificate (default `8760h0m0s`) |
--self-signed-ca-org <string> |
The issuer organization used in self-signed CA certificate (default to k8s.cluster.local) (default `k8s.cluster.local`) |
--sign-ca-certs |
Whether Citadel signs certificates for other CAs |
--signing-cert <string> |
Path to the CA signing certificate file (default ``) |
--signing-key <string> |
Path to the CA signing key file (default ``) |
--upstream-ca-address <string> |
The IP:port address of the upstream CA. When set, the CA will rely on the upstream Citadel to provision its own certificate. (default ``) |
--workload-cert-grace-period-ratio <float32> |
The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default `0.5`) |
--workload-cert-min-grace-period <duration> |
The minimum workload certificate rotation grace period. (default `10m0s`) |
--workload-cert-ttl <duration> |
The TTL of issued workload certificates (default `2160h0m0s`) |
Check the liveness or readiness of a locally-running server
istio_ca probe [flags]
| Flags | Description |
|---|---|
--interval <duration> |
Duration used for checking the target file's last modified time. (default `0s`) |
--log_as_json |
Whether to format output as JSON or in plain console-friendly format |
--log_caller <string> |
Comma-separated list of scopes for which to include called information, scopes can be any of [default] (default ``) |
--log_output_level <string> |
The minimum logging level of messages to output, can be one of [debug, info, warn, error, none] (default `default:info`) |
--log_rotate <string> |
The path for the optional rotating log file (default ``) |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) |
--log_stacktrace_level <string> |
The minimum logging level at which stack traces are captured, can be one of [debug, info, warn, error, none] (default `default:none`) |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
--probe-path <string> |
Path of the file for checking the availability. (default ``) |
Prints out build version information
istio_ca version [flags]
| Flags | Shorthand | Description |
|---|---|---|
--log_as_json |
Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> |
Comma-separated list of scopes for which to include called information, scopes can be any of [default] (default ``) | |
--log_output_level <string> |
The minimum logging level of messages to output, can be one of [debug, info, warn, error, none] (default `default:info`) | |
--log_rotate <string> |
The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> |
The minimum logging level at which stack traces are captured, can be one of [debug, info, warn, error, none] (default `default:none`) | |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--short |
-s |
Displays a short form of the version information |