istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cacerts secret to replace with istio-ca-secret (#6829) 

Currently, 1.5.0 istiod is looking for istio-ca-secret, while in 1.4.x it was cacerts.
This commit is contained in:
tigran-a 2020-03-09 21:21:37 +01:00 committed by GitHub
parent 1ffb1d8506
commit d4eba6eb52
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
content/en/docs/tasks/security/plugin-ca-cert/index.md
View File

@ -30,18 +30,18 @@ Note that if your `ca-cert.pem` is the same as `root-cert.pem`, the `cert-chain.
These files are ready to use in the `samples/certs/` directory. These files are ready to use in the `samples/certs/` directory.
{{< tip >}} {{< tip >}}
The default Istio's CA installation sets [command line options](/docs/reference/commands/istio_ca/index.html) to configure the location of certificates and keys based on the predefined secret and file names used in the command below (i.e., secret named `cacert`, root certificate in a file named `root-cert.pem`, Istio CA's key in `ca-key.pem`, etc.) The default Istio's CA installation sets [command line options](/docs/reference/commands/istio_ca/index.html) to configure the location of certificates and keys based on the predefined secret and file names used in the command below (i.e., secret named `istio-ca-secret`, root certificate in a file named `root-cert.pem`, Istio CA's key in `ca-key.pem`, etc.)
You must use these specific secret and file names, or reconfigure Istio's CA when you deploy it. You must use these specific secret and file names, or reconfigure Istio's CA when you deploy it.
{{< /tip >}} {{< /tip >}}
The following steps plug in the certificates and key into a Kubernetes secret, The following steps plug in the certificates and key into a Kubernetes secret,
which will be read by Istio's CA: which will be read by Istio's CA:
1. Create a secret `cacerts` including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`: 1. Create a secret `istio-ca-secret` including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`:
{{< text bash >}} {{< text bash >}}
$ kubectl create namespace istio-system $ kubectl create namespace istio-system
$ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \ $ kubectl create secret generic istio-ca-secret -n istio-system --from-file=samples/certs/ca-cert.pem \
--from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \ --from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
--from-file=samples/certs/cert-chain.pem --from-file=samples/certs/cert-chain.pem
{{< /text >}} {{< /text >}}
@ -106,10 +106,10 @@ This requires you have `openssl` installed on your machine.
## Cleanup ## Cleanup
* To remove the secret `cacerts` and redeploy Istio's CA with self-signed root certificate: * To remove the secret `istio-ca-secret` and redeploy Istio's CA with self-signed root certificate:
{{< text bash >}} {{< text bash >}}
$ kubectl delete secret cacerts -n istio-system $ kubectl delete secret istio-ca-secret -n istio-system
$ istioctl manifest apply $ istioctl manifest apply
{{< /text >}} {{< /text >}}