diff --git a/content/zh/docs/tasks/security/dns-cert/index.md b/content/zh/docs/tasks/security/dns-cert/index.md index 3d125909d4..dbb5e760ed 100644 --- a/content/zh/docs/tasks/security/dns-cert/index.md +++ b/content/zh/docs/tasks/security/dns-cert/index.md @@ -1,35 +1,28 @@ --- -title: Istio DNS Certificate Management -description: Shows how to provision and manage DNS certificates in Istio. +title: Istio DNS 证书管理 +description: 展示如何准备和管理 Istio DNS 证书。 weight: 90 keywords: [security,certificate] --- {{< boilerplate experimental-feature-warning >}} -By default, the DNS certificates used by the webhooks of Galley and the sidecar -injector are provisioned and managed by Citadel, which is a large component -that maintains its own signing key and also acts as a CA for Istio. +默认情况下,Citadel 负责准备和管理 Galley webhooks 及 sidecar 注入器所使用的 DNS 证书。Citadel 是一个功能丰富的组件,不仅维护自身的签名密钥,还充当着 Istio 的 CA。 -In certain deployments, you may want to use your own certificate authority -instead of Citadel. In those cases, Citadel ends up being used strictly for -its DNS certificate provisioning functionality. Rather than having to deploy -Citadel at all in this case, you can instead leverage Chiron, a lightweight -component linked with Pilot that signs certificates using the Kubernetes CA APIs without maintaining its own private key. +在特定部署场景中,您或许希望使用自己的证书授权机构取代 Citadel。此时,Citadel 不再发挥其准备 DNS 证书的功能。在这种情况下,无须部署 Citadel,您可以使用一个轻量级组件 Chiron 取而代之。Chiron 与 Pilot 关联在一起,通过 Kubernetes CA APIs 签名证书,不用维护自己的私有密钥。 -This task shows how to provision and manage DNS certificates for Istio control -plane components through Chiron. Using this feature has the following advantages: +本任务展示如何通过 Chiron 为 Istio 的控制平面组件准备和管理 DNS 证书。该特性具备以下优点: -* More lightweight than Citadel. +* 比 Citadel 更加轻量级。 -* Unlike Citadel, this feature doesn't require maintaining a private signing key, which enhances security. +* 不像 Citadel,该特性无需维护一个私有的签名密钥,增强了安全性。 -* Simplified root certificate distribution to TLS clients. Clients no longer need to wait for Citadel to generate and distribute its CA certificate. +* 简化了向 TLS 客户端分发根证书的过程。客户端无需等待 Citadel 生成并分发 CA 证书。 -## Before you begin +## 开始之前{#before-you-begin} -* Install Istio through `istioctl` with DNS certificates configured. -The configuration is read when Pilot starts. +* 配置好 DNS 证书,使用 `istioctl` 安装 Istio。 +Pilot 启动时,读取配置文件。 {{< text bash >}} $ cat < ./istio.yaml @@ -47,61 +40,52 @@ EOF $ istioctl manifest apply -f ./istio.yaml {{< /text >}} -* Install [`jq`](https://stedolan.github.io/jq/) for validating the results from running the task. +* 安装 [`jq`](https://stedolan.github.io/jq/) ,验证运行结果。 -## DNS certificate provisioning and management +## 准备和管理 DNS 证书{#DNS-certificate-provisioning-and-management} -Istio provisions the DNS names and secret names for the DNS certificates based on configuration you provide. -The DNS certificates provisioned are signed by the Kubernetes CA and stored in the secrets following your configuration. -Istio also manages the lifecycle of the DNS certificates, including their rotations and regenerations. +Istio 根据您提供的配置文件设置 DNS 证书的 DNS 域名和 secret 名。 +准备好的 DNS 证书经 Kubernetes CA 签名后,存储在配置文件指明的 secrets 中。 +Istio 还需要管理 DNS 证书的生命周期,包括证书的轮换和重新生成。 -## Configure DNS certificates +## 配置 DNS 证书{#configure-DNS-certificates} -The `IstioControlPlane` custom resource used to configure Istio in the `istioctl manifest apply` command, above, -contains an example DNS certificate configuration. Within, the `dnsNames` field specifies the DNS -names in a certificate and the `secretName` field specifies the name of the Kubernetes secret used to -store the certificate and the key. +`IstioControlPlane` 自定义资源提供了一个 DNS 证书配置模版,用来通过 `istioctl manifest apply` 命令配置 Istio (见上文)。其中,`dnsName` 域指定证书的 DNS 域名,`secretName` 域指定用于存储证书和密钥的 Kubernetes secret 名。 -## Check the provisioning of DNS certificates +## 检查 DNS 证书的准备工作{#check-the-provisioning-of-DNS-certificates} -After configuring Istio to generate DNS certificates and storing them in secrets -of your choosing, you can verify that the certificates were provisioned and work properly. +配置好 Istio 生成 DNS 证书并根据您的要求指定好存放它的 secretes 之后,您可以验证证书按预期被准备出来且如常工作。 -To check that Istio generated the `dns.istio-galley-service-account` DNS certificate as configured in the example, -and that the certificate contains the configured DNS names, you need to get the secret from Kubernetes, parse it, -decode it, and view its text output with the following command: +为了检查 Istio 按照示例配置生成了 `dns.istio-galley-service-account` DNS 证书,并且证书中包含配置好的 DNS 域名,您需要从 Kubernetes 中获取 secret,进行解析解码并检查它的输出文本,命令如下: {{< text bash >}} $ kubectl get secret dns.istio-galley-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in - -text -noout {{< /text >}} -The text output should include: +输出文本应该包括: {{< text plain >}} X509v3 Subject Alternative Name: DNS:istio-galley.istio-system.svc, DNS:istio-galley.istio-system {{< /text >}} -## Regenerating a DNS certificate +## 重新生成一个 DNS 证书{#regenerating-a-DNS-certificate} -Istio can also regenerate DNS certificates that were mistakenly deleted. Next, -we show how you can delete a recently configured certificate and verify Istio regenerates it automatically. +Istio 也可以重新生成被误删的 DNS 证书。接下来,我们展示如何删除一个近期配置好的证书并验证 Istio 自动重新生成了该证书。 -1. Delete the secret storing the DNS certificate configured earlier: +1. 删除存储之前配置好的 DNS 证书的 secret: {{< text bash >}} $ kubectl delete secret dns.istio-galley-service-account -n istio-system {{< /text >}} -1. To check that Istio regenerated the deleted DNS certificate, and that the certificate -contains the configured DNS names, you need to get the secret from Kubernetes, parse it, decode it, -and view its text output with the following command: +1. 为了检查 Istio 重新生成了已删除的 DNS 证书,并且该证书包含配置好的 DNS 域名,您需要从 Kubernetes 中获取 secret,进行解析解码并检查它的输出文本,命令如下: {{< text bash >}} $ kubectl get secret dns.istio-galley-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in - -text -noout {{< /text >}} -The output should include: +输出应该包括: {{< text plain >}} X509v3 Subject Alternative Name: