zh-translation:content/zh/docs/tasks/security/dns-cert/index.md (#6023)

* zh-trans-1649

* zh-trans-1649-after-review

content/zh/docs/tasks/security/dns-cert/index.md

@@ -1,35 +1,28 @@
 ---
-title: Istio DNS Certificate Management
-description: Shows how to provision and manage DNS certificates in Istio.
+title: Istio DNS 证书管理
+description: 展示如何准备和管理 Istio DNS 证书。
 weight: 90
 keywords: [security,certificate]
 ---
 
 {{< boilerplate experimental-feature-warning >}}
 
-By default, the DNS certificates used by the webhooks of Galley and the sidecar
-injector are provisioned and managed by Citadel, which is a large component
-that maintains its own signing key and also acts as a CA for Istio.
+默认情况下，Citadel 负责准备和管理 Galley webhooks 及 sidecar 注入器所使用的 DNS 证书。Citadel 是一个功能丰富的组件，不仅维护自身的签名密钥，还充当着 Istio 的 CA。
 
-In certain deployments, you may want to use your own certificate authority
-instead of Citadel. In those cases, Citadel ends up being used strictly for
-its DNS certificate provisioning functionality. Rather than having to deploy
-Citadel at all in this case, you can instead leverage Chiron, a lightweight
-component linked with Pilot that signs certificates using the Kubernetes CA APIs without maintaining its own private key.
+在特定部署场景中，您或许希望使用自己的证书授权机构取代 Citadel。此时，Citadel 不再发挥其准备 DNS 证书的功能。在这种情况下，无须部署 Citadel，您可以使用一个轻量级组件 Chiron 取而代之。Chiron 与 Pilot 关联在一起，通过 Kubernetes CA APIs 签名证书，不用维护自己的私有密钥。
 
-This task shows how to provision and manage DNS certificates for Istio control
-plane components through Chiron. Using this feature has the following advantages:
+本任务展示如何通过 Chiron 为 Istio 的控制平面组件准备和管理 DNS 证书。该特性具备以下优点：
 
-* More lightweight than Citadel.
+* 比 Citadel 更加轻量级。
 
-* Unlike Citadel, this feature doesn't require maintaining a private signing key, which enhances security.
+* 不像 Citadel，该特性无需维护一个私有的签名密钥，增强了安全性。
 
-* Simplified root certificate distribution to TLS clients. Clients no longer need to wait for Citadel to generate and distribute its CA certificate.
+* 简化了向 TLS 客户端分发根证书的过程。客户端无需等待 Citadel 生成并分发 CA 证书。
 
-## Before you begin
+## 开始之前{#before-you-begin}
 
-* Install Istio through `istioctl` with DNS certificates configured.
-The configuration is read when Pilot starts.
+* 配置好 DNS 证书，使用 `istioctl` 安装 Istio。
+Pilot 启动时，读取配置文件。
 
 {{< text bash >}}
 $ cat <<EOF > ./istio.yaml
@@ -47,61 +40,52 @@ EOF
 $ istioctl manifest apply -f ./istio.yaml
 {{< /text >}}
 
-* Install [`jq`](https://stedolan.github.io/jq/) for validating the results from running the task.
+* 安装 [`jq`](https://stedolan.github.io/jq/) ，验证运行结果。
 
-## DNS certificate provisioning and management
+## 准备和管理 DNS 证书{#DNS-certificate-provisioning-and-management}
 
-Istio provisions the DNS names and secret names for the DNS certificates based on configuration you provide.
-The DNS certificates provisioned are signed by the Kubernetes CA and stored in the secrets following your configuration.
-Istio also manages the lifecycle of the DNS certificates, including their rotations and regenerations.
+Istio 根据您提供的配置文件设置 DNS 证书的 DNS 域名和 secret 名。
+准备好的 DNS 证书经 Kubernetes CA 签名后，存储在配置文件指明的 secrets 中。
+Istio 还需要管理 DNS 证书的生命周期，包括证书的轮换和重新生成。
 
-## Configure DNS certificates
+## 配置 DNS 证书{#configure-DNS-certificates}
 
-The `IstioControlPlane` custom resource used to configure Istio in the `istioctl manifest apply` command, above,
-contains an example DNS certificate configuration. Within, the `dnsNames` field specifies the DNS
-names in a certificate and the `secretName` field specifies the name of the Kubernetes secret used to
-store the certificate and the key.
+`IstioControlPlane` 自定义资源提供了一个 DNS 证书配置模版，用来通过 `istioctl manifest apply` 命令配置 Istio （见上文）。其中，`dnsName` 域指定证书的 DNS 域名，`secretName` 域指定用于存储证书和密钥的 Kubernetes secret 名。
 
-## Check the provisioning of DNS certificates
+## 检查 DNS 证书的准备工作{#check-the-provisioning-of-DNS-certificates}
 
-After configuring Istio to generate DNS certificates and storing them in secrets
-of your choosing, you can verify that the certificates were provisioned and work properly.
+配置好 Istio 生成 DNS 证书并根据您的要求指定好存放它的 secretes 之后，您可以验证证书按预期被准备出来且如常工作。
 
-To check that Istio generated the `dns.istio-galley-service-account` DNS certificate as configured in the example,
-and that the certificate contains the configured DNS names, you need to get the secret from Kubernetes, parse it,
-decode it, and view its text output with the following command:
+为了检查 Istio 按照示例配置生成了 `dns.istio-galley-service-account` DNS 证书，并且证书中包含配置好的 DNS 域名，您需要从 Kubernetes 中获取 secret，进行解析解码并检查它的输出文本，命令如下：
 
 {{< text bash >}}
 $ kubectl get secret dns.istio-galley-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in - -text -noout
 {{< /text >}}
 
-The text output should include:
+输出文本应该包括：
 
 {{< text plain >}}
 X509v3 Subject Alternative Name:
   DNS:istio-galley.istio-system.svc, DNS:istio-galley.istio-system
 {{< /text >}}
 
-## Regenerating a DNS certificate
+## 重新生成一个 DNS 证书{#regenerating-a-DNS-certificate}
 
-Istio can also regenerate DNS certificates that were mistakenly deleted. Next,
-we show how you can delete a recently configured certificate and verify Istio regenerates it automatically.
+Istio 也可以重新生成被误删的 DNS 证书。接下来，我们展示如何删除一个近期配置好的证书并验证 Istio 自动重新生成了该证书。
 
-1. Delete the secret storing the DNS certificate configured earlier:
+1. 删除存储之前配置好的 DNS 证书的 secret：
 
     {{< text bash >}}
     $ kubectl delete secret dns.istio-galley-service-account -n istio-system
     {{< /text >}}
 
-1. To check that Istio regenerated the deleted DNS certificate, and that the certificate
-contains the configured DNS names, you need to get the secret from Kubernetes, parse it, decode it,
-and view its text output with the following command:
+1. 为了检查 Istio 重新生成了已删除的 DNS 证书，并且该证书包含配置好的 DNS 域名，您需要从 Kubernetes 中获取 secret，进行解析解码并检查它的输出文本，命令如下：
 
     {{< text bash >}}
     $ kubectl get secret dns.istio-galley-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in - -text -noout
     {{< /text >}}
 
-The output should include:
+输出应该包括：
 
 {{< text plain >}}
 X509v3 Subject Alternative Name: