From 0376ee75e9a7de0fe8e56dc9e05aaf902c0efae8 Mon Sep 17 00:00:00 2001 From: Spike Curtis Date: Wed, 18 Jul 2018 04:54:17 -0700 Subject: [PATCH] Clarify install in HTTPS overlay (#1857) Signed-off-by: Spike Curtis --- .../docs/tasks/security/https-overlay/index.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/content/docs/tasks/security/https-overlay/index.md b/content/docs/tasks/security/https-overlay/index.md index 68ad19427d..1564ccfb85 100644 --- a/content/docs/tasks/security/https-overlay/index.md +++ b/content/docs/tasks/security/https-overlay/index.md @@ -21,11 +21,17 @@ original HTTPS traffic. And this is the reason Istio can work on HTTPS services. Set up Istio by following the instructions in the [quick start](/docs/setup/kubernetes/quick-start/). -Note that authentication should be **disabled** at step 5 in the -[installation steps](/docs/setup/kubernetes/quick-start/#installation-steps). +Note that default mutual TLS authentication should be **disabled** when installing Istio; e.g. option 1 in the +[quick start](/docs/setup/kubernetes/quick-start/#installation-steps). + +The demo is also assumed to be running in a namespace where automatic sidecar injection is +disabled, and Istio sidecars are instead manually injected with `istioctl`. ### Generate certificates and configmap +The following examples consider an NGINX service pod which can encrypt traffic using HTTPS. +Before beginning, generate the TLS certificate and key that this service will use. + You need to have openssl installed to run these commands: {{< text bash >}} @@ -139,10 +145,11 @@ $ kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name ### Create an HTTPS service with Istio sidecar with mutual TLS enabled You need to deploy Istio control plane with mutual TLS enabled. If you have istio -control plane with mutual TLS disabled installed, please delete it: +control plane with mutual TLS disabled installed, please delete it. For example, if +you followed the quick start: {{< text bash >}} -$ kubectl delete -f install/kubernetes/istio.yaml +$ kubectl delete -f install/kubernetes/istio-demo.yaml {{< /text >}} And wait for everything is down, i.e., there is no pod in control plane namespace (istio-system).