diff --git a/content/docs/concepts/security/index.md b/content/docs/concepts/security/index.md index a2fe362c07..46dc501846 100644 --- a/content/docs/concepts/security/index.md +++ b/content/docs/concepts/security/index.md @@ -235,7 +235,7 @@ before it becomes effective. ### Mutual TLS authentication Istio tunnels service-to-service communication through the client side and server side [Envoy proxies](https://envoyproxy.github.io/envoy/). -For a client to call a server, the steps followed are: +For a client to call a server with mutual TLS authentication: 1. Istio re-routes the outbound traffic from a client to the client's local sidecar Envoy. diff --git a/content/docs/setup/kubernetes/helm-install/index.md b/content/docs/setup/kubernetes/helm-install/index.md index 0d3ed060d4..631b801477 100644 --- a/content/docs/setup/kubernetes/helm-install/index.md +++ b/content/docs/setup/kubernetes/helm-install/index.md @@ -45,7 +45,7 @@ via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml {{< /text >}} - > If you are enabling `certmanager`, you also need to install its CRDs as well and wait a few seconds for the CRDs to be committed in the kube-apiserver: + If you are enabling `certmanager`, you also need to install its CRDs as well and wait a few seconds for the CRDs to be committed in the kube-apiserver: {{< text bash >}} $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml @@ -62,6 +62,12 @@ via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml {{< /text >}} + If you want to enable [global mutual TLS](/docs/concepts/security/#mutual-tls-authentication), set `global.mtls.enabled` to `true`: + + {{< text bash >}} + $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.mtls.enabled=true > $HOME/istio.yaml + {{< /text >}} + 1. Install the components via the manifest: {{< text bash >}} @@ -93,6 +99,12 @@ to manage the lifecycle of Istio. $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system {{< /text >}} + If you want to enable [global mutual TLS](/docs/concepts/security/#mutual-tls-authentication), set `global.mtls.enabled` to `true`: + + {{< text bash >}} + $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.mtls.enabled=true + {{< /text >}} + ## Uninstall * For option 1, uninstall using `kubectl`: diff --git a/content/docs/setup/kubernetes/quick-start/index.md b/content/docs/setup/kubernetes/quick-start/index.md index bd17224d2d..01884f77d4 100644 --- a/content/docs/setup/kubernetes/quick-start/index.md +++ b/content/docs/setup/kubernetes/quick-start/index.md @@ -65,8 +65,8 @@ $ kubectl apply -f install/kubernetes/istio-demo.yaml Use this option only on a fresh Kubernetes cluster where newly deployed workloads are guaranteed to have Istio sidecars installed. -To Install Istio and enforce mutual TLS authentication between sidecars by -default: +To Install Istio and enforce [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) +between sidecars by default: {{< text bash >}} $ kubectl apply -f install/kubernetes/istio-demo-auth.yaml diff --git a/content/docs/tasks/security/plugin-ca-cert/index.md b/content/docs/tasks/security/plugin-ca-cert/index.md index fc4dd8c5e4..106d41ceb3 100644 --- a/content/docs/tasks/security/plugin-ca-cert/index.md +++ b/content/docs/tasks/security/plugin-ca-cert/index.md @@ -14,8 +14,13 @@ operator-specified root certificate. This task demonstrates an example to plug c ## Before you begin * Set up Istio by following the instructions in the - [quick start](/docs/setup/kubernetes/quick-start/) with global mutual TLS enabled by using [Helm](/docs/setup/kubernetes/helm-install/) - with `global.mtls.enabled` set to `true`. +[quick start](/docs/setup/kubernetes/quick-start/) with global mutual TLS enabled: + + Install from the [demo yaml file](/docs/setup/kubernetes/quick-start/#option-2-install-istio-with-default-mutual-tls-authentication). + + _**OR**_ + + Using [Helm](/docs/setup/kubernetes/helm-install/) with mutual TLS enabled. > Starting with Istio 0.7, you can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/) @@ -45,8 +50,14 @@ The following steps enable plugging in the certificates and key into Citadel: --from-file=samples/certs/cert-chain.pem {{< /text >}} -1. Redeploy Citadel, which reads the certificates and key from the secret-mount files by using [Helm](/docs/setup/kubernetes/helm-install/) - with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`. +1. Redeploy Citadel using Helm with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`. + Citadel will read certificates and key from the secret-mount files. + + {{< text bash >}} + $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/security/templates/deployment.yaml \ + --set global.mtls.enabled=true --set security.selfSigned=false > $HOME/citadel-plugin-cert.yaml + $ kubectl apply -f $HOME/citadel-plugin-cert.yaml + {{< /text >}} 1. To make sure the workloads obtain the new certificates promptly, delete the secrets generated by Citadel (named as istio.\*).