istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Small tweaks for Security (#626) 

* Small tweaks for Security

* Update url

* address comment
This commit is contained in:
Tao Li 2017-10-05 17:52:26 -07:00 committed by Laurent Demailly
parent 5389f5b338
commit 0173744bd4
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_docs/reference/release-notes.md
View File

@ -85,7 +85,7 @@ identity provisioning. This agent runs on each node (VM / physical machine) and
- **Bring Your Own CA Certificates**. Allows users to provide their own key and certificate for Istio CA. - **Bring Your Own CA Certificates**. Allows users to provide their own key and certificate for Istio CA.
- **Persistent CA Key/Certificate Storage**. Istio CA now supports storing signing key/certificates in - **Persistent CA Key/Certificate Storage**. Istio CA now stores signing key/certificates in
persistent storage to facilitate CA restarts. persistent storage to facilitate CA restarts.

8
_docs/tasks/security/mutual-tls.md
View File

@ -59,14 +59,14 @@ Istio CA is up if the "AVAILABLE" column is 1.
When running Istio with mutual TLS authentication turned on, you can use curl in one service's When running Istio with mutual TLS authentication turned on, you can use curl in one service's
envoy to send request to other services. envoy to send request to other services.
For example, after starting the [BookInfo]({{home}}/docs/guides/bookinfo.html) For example, after starting the [BookInfo]({{home}}/docs/guides/bookinfo.html)
sample application you can ssh into the envoy container of `productpage` service, sample application you can ssh into the envoy container of `productpage` service,
and send request to other services by curl. and send request to other services by curl.
There are several steps: There are several steps:
1. get the productpage pod name 1. get the productpage pod name
```bash ```bash
kubectl get pods -l app=productpage kubectl get pods -l app=productpage
``` ```
```bash ```bash
NAME READY STATUS RESTARTS AGE NAME READY STATUS RESTARTS AGE
@ -77,7 +77,7 @@ There are several steps:
1. ssh into the envoy container 1. ssh into the envoy container
```bash ```bash
kubectl exec -it productpage-v1-4184313719-5mxjc -c istio-proxy /bin/bash kubectl exec -it productpage-v1-4184313719-5mxjc -c istio-proxy /bin/bash
``` ```
1. make sure the key/cert is in /etc/certs/ directory 1. make sure the key/cert is in /etc/certs/ directory
@ -92,7 +92,7 @@ There are several steps:
1. send requests to another service, for example, details. 1. send requests to another service, for example, details.
```bash ```bash
curl https://details:9080 -v --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k curl https://details:9080/details/0 -v --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k
``` ```
```bash ```bash
... ...