Minimum OpenSSL Version Required (#7763)

* add missing cleanup for vs nginx * add openssl req * Apply suggestions from code review Co-authored-by: Frank Budinsky <frankb@ca.ibm.com> Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
2020-07-22 11:32:35 -04:00 · 2020-07-22 11:32:35 -04:00 · 9dd06e5201
parent 2d8ded6804
commit 9dd06e5201
4 changed files with 40 additions and 2 deletions
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/index.md
@ -41,6 +41,17 @@ The TLS required private key, server certificate, and root certificate, are conf

    Note that any pod that you can `exec` and `curl` from would do.

+*   For macOS users, verify that you are using `openssl` version 1.1 or later:
+
+    {{< text bash >}}
+    $ openssl version -a | grep OpenSSL
+    OpenSSL 1.1.1g  21 Apr 2020
+    {{< /text >}}
+
+    If the previous command outputs a version `1.1` or later, as shown, your `openssl` command
+    should work correctly with the instructions in this task. Otherwise, upgrade your `openssl` or try
+    a different implementation of `openssl`, for example on a Linux machine.
+
 *   [Deploy an Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).

 *   [Enable Envoy’s access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging).
@ -349,7 +360,7 @@ to hold the configuration of the NGINX server:
    $ kubectl delete virtualservice direct-nginx-through-egress-gateway
    $ kubectl delete destinationrule egressgateway-for-nginx
    $ kubectl delete gateway istio-egressgateway
-    $ kubectl delete secret generic client-credential -n istio-system
+    $ kubectl delete secret client-credential-cacert -n istio-system
    $ kubectl delete service my-nginx -n mesh-external
    $ kubectl delete deployment my-nginx -n mesh-external
    $ kubectl delete configmap nginx-configmap -n mesh-external
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/snips.sh
@ -28,6 +28,14 @@ snip_before_you_begin_2() {
 kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml)
 }

+snip_before_you_begin_3() {
+openssl version -a | grep OpenSSL
+}
+
+! read -r -d '' snip_before_you_begin_3_out <<\ENDSNIP
+OpenSSL 1.1.1g  21 Apr 2020
+ENDSNIP
+
 snip_generate_ca_and_server_certificates_and_keys_1() {
 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
 }
@ -259,7 +267,7 @@ kubectl delete destinationrule originate-tls-for-nginx
 kubectl delete virtualservice direct-nginx-through-egress-gateway
 kubectl delete destinationrule egressgateway-for-nginx
 kubectl delete gateway istio-egressgateway
-kubectl delete secret generic client-credential -n istio-system
+kubectl delete secret client-credential-cacert -n istio-system
 kubectl delete service my-nginx -n mesh-external
 kubectl delete deployment my-nginx -n mesh-external
 kubectl delete configmap nginx-configmap -n mesh-external
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md
@ -45,6 +45,17 @@ traffic to external services.
    $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
    {{< /text >}}

+*   For macOS users, verify that you are using `openssl` version 1.1 or later:
+
+    {{< text bash >}}
+    $ openssl version -a | grep OpenSSL
+    OpenSSL 1.1.1g  21 Apr 2020
+    {{< /text >}}
+
+    If the previous command outputs a version `1.1` or later, as shown, your `openssl` command
+    should work correctly with the instructions in this task. Otherwise, upgrade your `openssl` or try
+    a different implementation of `openssl`, for example on a Linux machine.
+
 *   [Deploy Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway).

 *   [Enable Envoy’s access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging)
--- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh
@ -32,6 +32,14 @@ snip_before_you_begin_3() {
 export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
 }

+snip_before_you_begin_4() {
+openssl version -a | grep OpenSSL
+}
+
+! read -r -d '' snip_before_you_begin_4_out <<\ENDSNIP
+OpenSSL 1.1.1g  21 Apr 2020
+ENDSNIP
+
 snip_perform_tls_origination_with_an_egress_gateway_1() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3