mirror of https://github.com/istio/istio.io.git
clarify secure ingress gateway troubleshooting regarding killing the pod to reload certificates (#3112)
* put the instructions to kill the pod after checking that the key/certificate are loaded * add "if you created the secret, but..." before killing the pod * the secret <secret name> -> the <secret name> secret * kill -> delete
This commit is contained in:
Vadim Eisenberg
istio-bot
parent
13dda4ce1c
commit
d6eb09bb9e
|
|
@ -470,6 +470,13 @@ they have valid values, according to the output of the following commands:
|
|||
|
||||
`tls.crt` and `tls.key` should exist in the directory contents.
|
||||
|
||||
1. If you created the `istio-ingressgateway-certs` secret, but the key and the certificate are not loaded, delete the
|
||||
ingress gateway pod and force it to reload them.
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl delete pod -n istio-system -l istio=ingressgateway
|
||||
{{< /text >}}
|
||||
|
||||
1. Verify that the _Subject_ is correct in the certificate of the ingress gateway:
|
||||
|
||||
{{< text bash >}}
|
||||
|
|
@ -493,12 +500,6 @@ they have valid values, according to the output of the following commands:
|
|||
$ kubectl logs -n istio-system -l istio=ingressgateway
|
||||
{{< /text >}}
|
||||
|
||||
1. If the secret was created but the keys were not mounted, delete the ingress gateway pod and force it to reload certs:
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl delete pod -n istio-system -l istio=ingressgateway
|
||||
{{< /text >}}
|
||||
|
||||
1. For macOS users, verify that you use _curl_ compiled with the [LibreSSL](http://www.libressl.org) library, as
|
||||
described in the [Before you begin](#before-you-begin) section.
|
||||
|
||||
|
|
@ -514,6 +515,13 @@ In addition to the steps in the previous section, perform the following:
|
|||
|
||||
`ca-chain.cert.pem` should exist in the directory contents.
|
||||
|
||||
1. If you created the `istio-ingressgateway-ca-certs` secret, but the CA certificate is not loaded, delete the ingress
|
||||
gateway pod and force it to reload the certificate:
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl delete pod -n istio-system -l istio=ingressgateway
|
||||
{{< /text >}}
|
||||
|
||||
1. Verify that the _Subject_ is correct in the CA certificate of the ingress gateway:
|
||||
|
||||
{{< text bash >}}
|
||||
|
|
@ -521,12 +529,6 @@ In addition to the steps in the previous section, perform the following:
|
|||
Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=httpbin.example.com
|
||||
{{< /text >}}
|
||||
|
||||
1. If the secret was created but the keys were not mounted, delete the ingress gateway pod and force it to reload certs:
|
||||
|
||||
{{< text bash >}}
|
||||
$ kubectl delete pod -n istio-system -l istio=ingressgateway
|
||||
{{< /text >}}
|
||||
|
||||
## Cleanup
|
||||
|
||||
1. Delete the `Gateway` configuration, the `VirtualService`, and the secrets:
|
||||
|
|
|
|||
Loading…
Reference in New Issue