diff --git a/content/docs/tasks/security/vault-ca/index.md b/content/docs/tasks/security/vault-ca/index.md index 2ba0daf547..de7340f05b 100644 --- a/content/docs/tasks/security/vault-ca/index.md +++ b/content/docs/tasks/security/vault-ca/index.md @@ -33,18 +33,11 @@ to Node Agent, which returns the signed certificate to the Istio proxy. --name=istio \ --namespace=istio-system \ --set global.mtls.enabled=true \ - --set global.proxy.excludeIPRanges="34.83.129.211/32" \ --values install/kubernetes/helm/istio/example-values/values-istio-example-sds-vault.yaml \ install/kubernetes/helm/istio >> istio-auth.yaml $ kubectl create -f istio-auth.yaml {{< /text >}} -The testing Vault server used in this tutorial has the IP -address `34.83.129.211`. The configuration -`global.proxy.excludeIPRanges="34.83.129.211/32"` whitelists the IP address of -the testing Vault server, so that Envoy will not intercept the traffic from -Node Agent to Vault. - The yaml file [`values-istio-example-sds-vault.yaml`]({{< github_file >}}/install/kubernetes/helm/istio/example-values/values-istio-example-sds-vault.yaml) contains the configuration that enables SDS (secret discovery service) in Istio. The Vault CA related configuration is set as environmental variables: @@ -65,6 +58,29 @@ env: value: "istio_ca/sign/istio-pki-role" {{< /text >}} +1. The testing Vault server used in this tutorial has the IP + address `34.83.129.211`. Create a service entry with the address of the testing + Vault server: + + {{< text bash >}} + $ kubectl apply -f - <}} + ## Deploy workloads for testing This section deploys the `httpbin` and `sleep` workloads for testing. When the sidecar of a