Fix plugin cert doc and improve helm instructions (#2630)

* Fix plugin cert doc. * Small fix. * Small fix. * Small fix.
2018-09-18 05:54:24 -07:00 · 2018-09-18 05:54:24 -07:00 · 770155d677
parent b7cc221935
commit 770155d677
4 changed files with 31 additions and 8 deletions
--- a/content/docs/concepts/security/index.md
+++ b/content/docs/concepts/security/index.md
@ -235,7 +235,7 @@ before it becomes effective.
 ### Mutual TLS authentication

 Istio tunnels service-to-service communication through the client side and server side [Envoy proxies](https://envoyproxy.github.io/envoy/).
-For a client to call a server, the steps followed are:
+For a client to call a server with mutual TLS authentication:

 1. Istio re-routes the outbound traffic from a client to the client's local sidecar Envoy.

--- a/content/docs/setup/kubernetes/helm-install/index.md
+++ b/content/docs/setup/kubernetes/helm-install/index.md
@ -45,7 +45,7 @@ via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the
    $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
    {{< /text >}}

-    > If you are enabling `certmanager`, you also need to install its CRDs as well and wait a few seconds for the CRDs to be committed in the kube-apiserver:
+    If you are enabling `certmanager`, you also need to install its CRDs as well and wait a few seconds for the CRDs to be committed in the kube-apiserver:

    {{< text bash >}}
    $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
@ -62,6 +62,12 @@ via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the
    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
    {{< /text >}}

+    If you want to enable [global mutual TLS](/docs/concepts/security/#mutual-tls-authentication), set `global.mtls.enabled` to `true`:
+
+    {{< text bash >}}
+    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.mtls.enabled=true > $HOME/istio.yaml
+    {{< /text >}}
+
 1. Install the components via the manifest:

    {{< text bash >}}
@ -93,6 +99,12 @@ to manage the lifecycle of Istio.
    $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
    {{< /text >}}

+    If you want to enable [global mutual TLS](/docs/concepts/security/#mutual-tls-authentication), set `global.mtls.enabled` to `true`:
+
+    {{< text bash >}}
+    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.mtls.enabled=true
+    {{< /text >}}
+
 ## Uninstall

 * For option 1, uninstall using `kubectl`:
--- a/content/docs/setup/kubernetes/quick-start/index.md
+++ b/content/docs/setup/kubernetes/quick-start/index.md
@ -65,8 +65,8 @@ $ kubectl apply -f install/kubernetes/istio-demo.yaml
 Use this option only on a fresh Kubernetes cluster where newly deployed
 workloads are guaranteed to have Istio sidecars installed.

-To Install Istio and enforce mutual TLS authentication between sidecars by
-default:
+To Install Istio and enforce [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication)
+between sidecars by default:

 {{< text bash >}}
 $ kubectl apply -f install/kubernetes/istio-demo-auth.yaml
--- a/content/docs/tasks/security/plugin-ca-cert/index.md
+++ b/content/docs/tasks/security/plugin-ca-cert/index.md
@ -14,8 +14,13 @@ operator-specified root certificate. This task demonstrates an example to plug c
 ## Before you begin

 * Set up Istio by following the instructions in the
-  [quick start](/docs/setup/kubernetes/quick-start/) with global mutual TLS enabled by using [Helm](/docs/setup/kubernetes/helm-install/)
-  with `global.mtls.enabled` set to `true`.
+[quick start](/docs/setup/kubernetes/quick-start/) with global mutual TLS enabled:
+
+  Install from the [demo yaml file](/docs/setup/kubernetes/quick-start/#option-2-install-istio-with-default-mutual-tls-authentication).
+
+  _**OR**_
+
+  Using [Helm](/docs/setup/kubernetes/helm-install/) with mutual TLS enabled.

 > Starting with Istio 0.7, you can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/)

@ -45,8 +50,14 @@ The following steps enable plugging in the certificates and key into Citadel:
        --from-file=samples/certs/cert-chain.pem
    {{< /text >}}

-1.  Redeploy Citadel, which reads the certificates and key from the secret-mount files by using [Helm](/docs/setup/kubernetes/helm-install/)
-    with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
+1.  Redeploy Citadel using Helm with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
+    Citadel will read certificates and key from the secret-mount files.
+
+    {{< text bash >}}
+    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/security/templates/deployment.yaml \
+    --set global.mtls.enabled=true --set security.selfSigned=false > $HOME/citadel-plugin-cert.yaml
+    $ kubectl apply -f $HOME/citadel-plugin-cert.yaml
+    {{< /text >}}

 1.  To make sure the workloads obtain the new certificates promptly,
    delete the secrets generated by Citadel (named as istio.\*).