istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed docs errors when working on issues#33906 (#10076) 

* fixed docs errors when working on issues#33906

* change the deploying Istio yaml after testing

* fix lint

* fixed issue according to comments
This commit is contained in:
Steve Zhang 2021-07-30 12:35:49 +00:00 committed by GitHub
parent 1653758a56
commit 4bdea0495f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
content/en/docs/tasks/security/cert-management/custom-ca-k8s/index.md
View File

@ -138,7 +138,7 @@ Refer to the [Kubernetes CSR documentation](https://kubernetes.io/docs/reference
1. Get the public key of the CA. This is encoded in the secret "signer-ca-*" in the signer-ca-system namespace. 1. Get the public key of the CA. This is encoded in the secret "signer-ca-*" in the signer-ca-system namespace.
{{< text bash >}} {{< text bash >}}
$ kubectl get secrets signer-ca-5hff5h74hm -o json $ kubectl get secrets signer-ca-5hff5h74hm -n signer-ca-system -o json
{{< /text >}} {{< /text >}}
The `tls.crt` field contains the base64 encoded public key file. Record this for future use. The `tls.crt` field contains the base64 encoded public key file. Record this for future use.
@ -172,24 +172,6 @@ Refer to the [Kubernetes CSR documentation](https://kubernetes.io/docs/reference
kind: IstioOperator kind: IstioOperator
spec: spec:
components: components:
base:
k8s:
overlays:
# Amend ClusterRole to add permission for istiod to approve certificate signing by custom signer
- kind: ClusterRole
name: istiod-istio-system
patches:
- path: rules[-1]
value: |
apiGroups:
- certificates.k8s.io
resourceNames:
# Name of k8s external Signer in this example
- example.com/foo
resources:
- signers
verbs:
- approve
pilot: pilot:
k8s: k8s:
env: env:
@ -200,21 +182,35 @@ Refer to the [Kubernetes CSR documentation](https://kubernetes.io/docs/reference
- name: K8S_SIGNER - name: K8S_SIGNER
value: example.com/foo value: example.com/foo
overlays: overlays:
- kind: Deployment # Amend ClusterRole to add permission for istiod to approve certificate signing by custom signer
name: istiod - kind: ClusterRole
patches: name: istiod-clusterrole-istio-system
- path: spec.template.spec.containers[0].volumeMounts[-1] patches:
value: | - path: rules[-1]
# Mount external CA certificate into Istiod value: |
name: external-ca-cert apiGroups:
mountPath: /etc/external-ca-cert - certificates.k8s.io
readOnly: true resourceNames:
- path: spec.template.spec.volumes[-1] - example.com/foo
value: | resources:
name: external-ca-cert - signers
secret: verbs:
secretName: external-ca-cert - approve
optional: true - kind: Deployment
name: istiod
patches:
- path: spec.template.spec.containers[0].volumeMounts[-1]
value: |
# Mount external CA certificate into Istiod
name: external-ca-cert
mountPath: /etc/external-ca-cert
readOnly: true
- path: spec.template.spec.volumes[-1]
value: |
name: external-ca-cert
secret:
secretName: external-ca-cert
optional: true
EOF EOF
$ istioctl install --set profile=demo -f ./istio.yaml $ istioctl install --set profile=demo -f ./istio.yaml
{{< /text >}} {{< /text >}}