istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "Update the Citadel cert lifetime config document (#1944)" (#1978) 

This reverts commit 062d0e3baf.
This commit is contained in:
Steven Dake 2018-07-26 05:51:33 -07:00 committed by Martin Taillefer
parent b36b0c31e0
commit 0da381b8f0
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/help/faq/security/cert-lifetime-config.md
View File

@ -4,11 +4,11 @@ weight: 70
---
For the workloads running in Kubernetes, the lifetime of their Istio certificates is controlled by the
`workload-cert-ttl` flag on Citadel. This value should be no greater than
`workload-cert-ttl` flag on Citadel. The default value is 19 hours. This value should be no greater than
`max-workload-cert-ttl` of Citadel.
Citadel uses a flag `max-workload-cert-ttl` to control the maximum lifetime for Istio certificates issued to
workloads. If `workload-cert-ttl` on Citadel or node agent is greater than
workloads. The default value is 7 days. If `workload-cert-ttl` on Citadel or node agent is greater than
`max-workload-cert-ttl`, Citadel will fail issuing the certificate.
Modify the `istio-demo-auth.yaml` file to customize the Citadel configuration.
@ -37,7 +37,7 @@ spec:
{{< /text >}}
For the workloads running on VMs and bare metal hosts, the lifetime of their Istio certificates is specified by the
`workload-cert-ttl` flag on each node agent. This value should be no greater than
`workload-cert-ttl` flag on each node agent. The default value is also 19 hours. This value should be no greater than
`max-workload-cert-ttl` of Citadel.
To customize this configuration, the argument for the node agent service should be modified.