Fix the security tasks. (#4445)

* Fix the security tasks. * Apply suggestions from code review Co-Authored-By: Rigs Caballero <grca@google.com> * Small fix. * Small fix.
2019-06-18 13:10:34 -07:00 · 2019-06-18 13:10:34 -07:00 · 16ed6a9c46
parent 46e13420b6
commit 16ed6a9c46
2 changed files with 12 additions and 7 deletions
--- a/content/docs/tasks/security/health-check/index.md
+++ b/content/docs/tasks/security/health-check/index.md
@ -7,9 +7,11 @@ keywords: [security,health-check]

 You can enable Citadel's health checking feature
 to detect the failures of the Citadel CSR (Certificate Signing Request) service.
-Citadel periodically sends CSRs to its CSR service and verifies the response.
+When a failure is detected, Kubelet automatically restarts the Citadel container.

-The _prober client_ module in Citadel periodically checks the health status of Citadel's CSR gRPC server.
+When the health checking feature is enabled,
+the **prober client** module in Citadel periodically checks the health status of Citadel's CSR gRPC server.
+It does this by sending CSRs to the gRPC server and verifies the responses.
 If Citadel is healthy, the _prober client_ updates the _modification time_ of the _health status file_.
 Otherwise, it does nothing. Citadel relies on a
 [Kubernetes liveness and readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/)
@ -41,13 +43,16 @@ See the [authentication policy task](/docs/tasks/security/authn-policy/) for det

 ## Deploying Citadel with health checking

-To enable health checking, redeploy Citadel using the configuration in `istio-citadel-with-health-check.yaml`:
+To enable health checking, redeploy Citadel with helm:

 {{< text bash >}}
-$ kubectl apply -f install/kubernetes/istio-citadel-with-health-check.yaml
+$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system \
+-x charts/security/templates/deployment.yaml \
+--set global.mtls.enabled=true --set security.citadelHealthCheck=true > citadel-health-check.yaml
+$ kubectl apply -f citadel-health-check.yaml
 {{< /text >}}

-## Verifying the health checker is working
+## Verify that health checking works

 Citadel will log the health checking results. Run the following in command line:

@ -67,7 +72,7 @@ The default health checking interval is 15 seconds and is logged once every 100
 ## (Optional) Configuring the health checking

 This section talks about how to modify the health checking configuration. Open the file
-`install/kubernetes/istio-citadel-with-health-check.yaml`, and locate the following lines.
+`citadel-health-check.yaml`, and locate the following lines.

 {{< text plain >}}
 ...
--- a/content/docs/tasks/security/plugin-ca-cert/index.md
+++ b/content/docs/tasks/security/plugin-ca-cert/index.md
@ -117,7 +117,7 @@ This requires you have `openssl` installed on your machine.
 1.  Verify the CA certificate is the same as the one specified by operator:

    {{< text bash >}}
-    $ tail -n 22 /tmp/pod-cert-chain.pem > /tmp/pod-cert-chain-ca.pem
+    $ tail -n 23 /tmp/pod-cert-chain.pem > /tmp/pod-cert-chain-ca.pem
    $ openssl x509 -in @samples/certs/ca-cert.pem@ -text -noout > /tmp/ca-cert.crt.txt
    $ openssl x509 -in /tmp/pod-cert-chain-ca.pem -text -noout > /tmp/pod-cert-chain-ca.crt.txt
    $ diff /tmp/ca-cert.crt.txt /tmp/pod-cert-chain-ca.crt.txt