add a check of Envoy's certificates to the troubleshooting section (#1845)

* add a check of Envoy's certificates to the troubleshooting section based on https://github.com/istio/istio/issues/7009#issuecomment-405195183 * fix tabs for lint checker
2018-07-17 14:56:36 +03:00 · 2018-07-17 14:56:36 +03:00 · 9de471a035
parent be5c87b2da
commit 9de471a035
1 changed files with 10 additions and 0 deletions
--- a/content/docs/tasks/traffic-management/secure-ingress/index.md
+++ b/content/docs/tasks/traffic-management/secure-ingress/index.md
@ -276,6 +276,16 @@ they have valid values, according to the output of the following commands:
        Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=httpbin.example.com
    {{< /text >}}

+1.  Verify that the proxy of the ingress gateway is aware of the certificates:
+
+    {{< text bash >}}
+    $ kubectl exec -ti $(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath={.items[0]..metadata.name}) -n istio-system -- curl  127.0.0.1:15000/certs
+    {
+      "ca_cert": "",
+      "cert_chain": "Certificate Path: /etc/istio/ingressgateway-certs/tls.crt, Serial Number: 100212, Days until Expiration: 370"
+    }
+    {{< /text >}}
+
 1.  Check the log of `istio-ingressgateway` for error messages:

    {{< text bash >}}