Remove doc on "Istio DNS Certificate Management" (#11369)

* Remove doc on "Istio DNS Certificate Management" This document gives harmful advice. This feature was intended to be used for signing control plane certificates, and actually doesn't work for other cases (cross namespace or any modern Kubernetes version are completely broken). * use archive link * name trick
2022-06-06 11:16:26 -07:00 · 2022-06-06 11:16:26 -07:00 · e1bc209fa0
parent 21489734c5
commit e1bc209fa0
4 changed files with 1 additions and 216 deletions
--- a/content/en/blog/2019/dns-cert/index.md
+++ b/content/en/blog/2019/dns-cert/index.md
@ -28,4 +28,4 @@ Chiron is the component provisioning and managing DNS certificates in Istio.
    caption="The architecture of provisioning and managing DNS certificates in Istio"
    >}}

-To try this new feature, refer to the [DNS certificate management task](/docs/tasks/security/cert-management/dns-cert).
+To try this new feature, refer to the [DNS certificate management task](https://archive.istio.io/v1.13/docs/tasks/security/cert-management/dns-cert/).
--- a/content/en/docs/tasks/security/cert-management/dns-cert/index.md
+++ b/content/en/docs/tasks/security/cert-management/dns-cert/index.md
@ -1,106 +0,0 @@
---
-title: Istio DNS Certificate Management
-description: Shows how to provision and manage DNS certificates in Istio.
-weight: 90
-keywords: [security,certificate]
-aliases:
-    - /docs/tasks/security/dns-cert/
-owner: istio/wg-security-maintainers
-test: yes
---
-
-This task shows how to provision and manage DNS certificates
-using [Chiron](/blog/2019/dns-cert/), a lightweight component linked with Istiod that signs certificates
-using the Kubernetes CA APIs without maintaining its own private key.
-Using this feature has the following advantages:
-
-* Unlike {{< gloss >}}Istiod{{< /gloss >}}, this feature doesn't require maintaining a private signing key, which enhances security.
-
-* Simplified root certificate distribution to TLS clients. Clients no longer need to wait for Istiod to generate and distribute its CA certificate.
-
-## Before you begin
-
-* Install Istio through `istioctl` with DNS certificates configured.
-The configuration is read when Istiod starts.
-
-{{< text bash >}}
-$ cat <<EOF > ./istio.yaml
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
-  meshConfig:
-    certificates:
-      - secretName: dns.example1-service-account
-        dnsNames: [example1.istio-system.svc, example1.istio-system]
-      - secretName: dns.example2-service-account
-        dnsNames: [example2.istio-system.svc, example2.istio-system]
-EOF
-$ istioctl install -f ./istio.yaml
-{{< /text >}}
-
-## DNS certificate provisioning and management
-
-Istio provisions the DNS names and secret names for the DNS certificates based on configuration you provide.
-The DNS certificates provisioned are signed by the Kubernetes CA and stored in the secrets following your configuration.
-Istio also manages the lifecycle of the DNS certificates, including their rotations and regenerations.
-
-## Configure DNS certificates
-
-The `IstioOperator` custom resource used to configure Istio in the `istioctl install` command, above,
-contains an example DNS certificate configuration. Within, the `dnsNames` field specifies the DNS
-names in a certificate and the `secretName` field specifies the name of the Kubernetes secret used to
-store the certificate and the key.
-
-## Check the provisioning of DNS certificates
-
-After configuring Istio to generate DNS certificates and storing them in secrets
-of your choosing, you can verify that the certificates were provisioned and work properly.
-
-To check that Istio generated the `dns.example1-service-account` DNS certificate as configured in the example,
-and that the certificate contains the configured DNS names, you need to get the secret from Kubernetes, parse it,
-decode it, and view its text output with the following command:
-
-{{< text bash >}}
-$ kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout
-{{< /text >}}
-
-The text output should include:
-
-{{< text plain >}}
-            X509v3 Subject Alternative Name:
-                DNS:example1.istio-system.svc, DNS:example1.istio-system
-{{< /text >}}
-
-## Regenerating a DNS certificate
-
-Istio can also regenerate DNS certificates that were mistakenly deleted. Next,
-we show how you can delete a recently configured certificate and verify Istio regenerates it automatically.
-
-1. Delete the secret storing the DNS certificate configured earlier:
-
-    {{< text bash >}}
-    $ kubectl delete secret dns.example1-service-account -n istio-system
-    {{< /text >}}
-
-1. To check that Istio regenerated the deleted DNS certificate, and that the certificate
-contains the configured DNS names, you need to get the secret from Kubernetes, parse it, decode it,
-and view its text output with the following command:
-
-    {{< text bash >}}
-    $ sleep 10; kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout
-    {{< /text >}}
-
-The output should include:
-
-{{< text plain >}}
-            X509v3 Subject Alternative Name:
-                DNS:example1.istio-system.svc, DNS:example1.istio-system
-{{< /text >}}
-
-## Cleanup
-
-*   To remove the `istio-system` namespace:
-
-    {{< text bash >}}
-    $ kubectl delete ns istio-system
-    {{< /text >}}
--- a/content/en/docs/tasks/security/cert-management/dns-cert/snips.sh
+++ b/content/en/docs/tasks/security/cert-management/dns-cert/snips.sh
@ -1,62 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2034,SC2153,SC2155,SC2164
-
-# Copyright Istio Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-####################################################################################################
-# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
-#          docs/tasks/security/cert-management/dns-cert/index.md
-####################################################################################################
-
-snip_before_you_begin_1() {
-cat <<EOF > ./istio.yaml
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
-  meshConfig:
-    certificates:
-      - secretName: dns.example1-service-account
-        dnsNames: [example1.istio-system.svc, example1.istio-system]
-      - secretName: dns.example2-service-account
-        dnsNames: [example2.istio-system.svc, example2.istio-system]
-EOF
-istioctl install -f ./istio.yaml
-}
-
-snip_check_the_provisioning_of_dns_certificates_1() {
-kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout
-}
-
-! read -r -d '' snip_check_the_provisioning_of_dns_certificates_2 <<\ENDSNIP
-            X509v3 Subject Alternative Name:
-                DNS:example1.istio-system.svc, DNS:example1.istio-system
-ENDSNIP
-
-snip_regenerating_a_dns_certificate_1() {
-kubectl delete secret dns.example1-service-account -n istio-system
-}
-
-snip_regenerating_a_dns_certificate_2() {
-sleep 10; kubectl get secret dns.example1-service-account -n istio-system -o jsonpath="{.data['cert-chain\.pem']}" | base64 --decode | openssl x509 -in /dev/stdin -text -noout
-}
-
-! read -r -d '' snip_regenerating_a_dns_certificate_3 <<\ENDSNIP
-            X509v3 Subject Alternative Name:
-                DNS:example1.istio-system.svc, DNS:example1.istio-system
-ENDSNIP
-
-snip_cleanup_1() {
-kubectl delete ns istio-system
-}
--- a/content/en/docs/tasks/security/cert-management/dns-cert/test.sh
+++ b/content/en/docs/tasks/security/cert-management/dns-cert/test.sh
@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC1090,SC2154
-
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# shellcheck disable=SC2001
-
-set -e
-set -u
-set -o pipefail
-
-# @setup profile=none
-
-export VERIFY_TIMEOUT=300
-
-echo y | snip_before_you_begin_1
-_wait_for_deployment istio-system istiod
-
-# helper functions
-check_dns_certs() {
-    snip_check_the_provisioning_of_dns_certificates_1 | sed 's/[ ]*$//' # Remove trailing spaces
-}
-regen_dns_certs() {
-    snip_regenerating_a_dns_certificate_2 | sed 's/[ ]*$//' # Remove trailing spaces
-}
-
-_verify_contains check_dns_certs "$snip_check_the_provisioning_of_dns_certificates_2"
-
-snip_regenerating_a_dns_certificate_1
-
-_verify_contains regen_dns_certs "$snip_regenerating_a_dns_certificate_3"
-
-# @cleanup
-echo y | istioctl x uninstall --revision=default
-snip_cleanup_1