From d6eb09bb9e56850652e3348a5c1c28ba2294218a Mon Sep 17 00:00:00 2001
From: Vadim Eisenberg <vadime@il.ibm.com>
Date: Tue, 22 Jan 2019 19:47:56 +0200
Subject: [PATCH] clarify secure ingress gateway troubleshooting regarding
 killing the pod to reload certificates (#3112)

* put the instructions to kill the pod after checking that the key/certificate are loaded

* add "if you created the secret, but..." before killing the pod

* the secret <secret name> -> the <secret name> secret

* kill -> delete
---
 .../secure-ingress/index.md                   | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/content/docs/tasks/traffic-management/secure-ingress/index.md b/content/docs/tasks/traffic-management/secure-ingress/index.md
index 8d556eceee..00c4f24652 100644
--- a/content/docs/tasks/traffic-management/secure-ingress/index.md
+++ b/content/docs/tasks/traffic-management/secure-ingress/index.md
@@ -470,6 +470,13 @@ they have valid values, according to the output of the following commands:
 
     `tls.crt` and `tls.key` should exist in the directory contents.
 
+1.  If you created the `istio-ingressgateway-certs` secret, but the key and the certificate are not loaded, delete the
+    ingress gateway pod and force it to reload them.
+
+    {{< text bash >}}
+    $ kubectl delete pod -n istio-system -l istio=ingressgateway
+    {{< /text >}}
+
 1.  Verify that the _Subject_ is correct in the certificate of the ingress gateway:
 
     {{< text bash >}}
@@ -493,12 +500,6 @@ they have valid values, according to the output of the following commands:
     $ kubectl logs -n istio-system -l istio=ingressgateway
     {{< /text >}}
 
-1.  If the secret was created but the keys were not mounted, delete the ingress gateway pod and force it to reload certs:
-
-    {{< text bash >}}
-    $ kubectl delete pod -n istio-system -l istio=ingressgateway
-    {{< /text >}}
-
 1.  For macOS users, verify that you use _curl_ compiled with the [LibreSSL](http://www.libressl.org) library, as
     described in the [Before you begin](#before-you-begin) section.
 
@@ -514,6 +515,13 @@ In addition to the steps in the previous section, perform the following:
 
     `ca-chain.cert.pem` should exist in the directory contents.
 
+1.  If you created the `istio-ingressgateway-ca-certs` secret, but the CA certificate is not loaded, delete the ingress
+    gateway pod and force it to reload the certificate:
+
+    {{< text bash >}}
+    $ kubectl delete pod -n istio-system -l istio=ingressgateway
+    {{< /text >}}
+
 1.  Verify that the _Subject_ is correct in the CA certificate of the ingress gateway:
 
     {{< text bash >}}
@@ -521,12 +529,6 @@ In addition to the steps in the previous section, perform the following:
     Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=httpbin.example.com
     {{< /text >}}
 
-1.  If the secret was created but the keys were not mounted, delete the ingress gateway pod and force it to reload certs:
-
-    {{< text bash >}}
-    $ kubectl delete pod -n istio-system -l istio=ingressgateway
-    {{< /text >}}
-
 ## Cleanup
 
 1.  Delete the `Gateway` configuration, the `VirtualService`, and the secrets: