mirror of https://github.com/istio/istio.io.git
421 lines
18 KiB
HTML
421 lines
18 KiB
HTML
---
|
|
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
|
|
source_repo: https://github.com/istio/istio
|
|
title: istio_ca
|
|
description: Istio Certificate Authority (CA).
|
|
generator: pkg-collateral-docs
|
|
number_of_entries: 4
|
|
max_toc_level: 2
|
|
remove_toc_prefix: 'istio_ca '
|
|
---
|
|
<p>Istio Certificate Authority (CA).</p>
|
|
<pre class="language-bash"><code>istio_ca [flags]
|
|
</code></pre>
|
|
<table class="command-flags">
|
|
<thead>
|
|
<tr>
|
|
<th>Flags</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td><code>--append-dns-names</code></td>
|
|
<td>Append DNS names to the certificates for webhook services. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--cert-chain <string></code></td>
|
|
<td>Path to the certificate chain file. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--citadel-storage-namespace <string></code></td>
|
|
<td>Namespace where the Citadel pod is running. Will not be used if explicit file or other storage mechanism is specified. (default `istio-system`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--ctrlz_address <string></code></td>
|
|
<td>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--ctrlz_port <uint16></code></td>
|
|
<td>The IP port to use for the ControlZ introspection facility (default `9876`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--custom-dns-names <string></code></td>
|
|
<td>The list of account.namespace:customdns names, separated by comma. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--enable-profiling</code></td>
|
|
<td>Enabling profiling when monitoring Citadel. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--experimental-dual-use</code></td>
|
|
<td>Enable dual-use mode. Generates certificates with a CommonName identical to the SAN. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--grpc-host-identities <string></code></td>
|
|
<td>The list of hostnames for istio ca server, separated by comma. (default `istio-ca,istio-citadel`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--grpc-port <int></code></td>
|
|
<td>The port number for Citadel GRPC server. If unspecified, Citadel will not serve GRPC requests. (default `8060`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--key-size <int></code></td>
|
|
<td>Size of generated private key. (default `2048`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--kube-config <string></code></td>
|
|
<td>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--listened-namespaces <string></code></td>
|
|
<td>Select the namespaces for the Citadel to listen to, separated by comma. If unspecified, Citadel tries to use the ${NAMESPACE} environment variable. If neither is set, Citadel listens to all namespaces. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--liveness-probe-interval <duration></code></td>
|
|
<td>Interval of updating file for the liveness probe. (default `0s`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--liveness-probe-path <string></code></td>
|
|
<td>Path to the file for the liveness probe. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_as_json</code></td>
|
|
<td>Whether to format output as JSON or in plain console-friendly format </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_caller <string></code></td>
|
|
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_output_level <string></code></td>
|
|
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate <string></code></td>
|
|
<td>The path for the optional rotating log file (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_age <int></code></td>
|
|
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_backups <int></code></td>
|
|
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_size <int></code></td>
|
|
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_stacktrace_level <string></code></td>
|
|
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_target <stringArray></code></td>
|
|
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--max-workload-cert-ttl <duration></code></td>
|
|
<td>The max TTL of issued workload certificates. (default `2160h0m0s`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--monitoring-port <int></code></td>
|
|
<td>The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring. (default `15014`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--org <string></code></td>
|
|
<td>Organization for the certificate. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--pkcs8-keys</code></td>
|
|
<td>Whether to generate PKCS#8 private keys. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--probe-check-interval <duration></code></td>
|
|
<td>Interval of checking the liveness of the CA. (default `30s`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--read-signing-cert-only</code></td>
|
|
<td>When set, Citadel only reads the self-signed signing cert and key from Kubernetes secret without generating one (if not exist). This flag avoids racing condition between multiple Citadels generating self-signed key and cert. Please make sure one and only one Citadel instance has this flag set to false. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--requested-ca-cert-ttl <duration></code></td>
|
|
<td>The requested TTL for the CA certificate. (default `8760h0m0s`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--root-cert <string></code></td>
|
|
<td>Path to the root certificate file. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--sds-enabled</code></td>
|
|
<td>Whether SDS is enabled. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--self-signed-ca</code></td>
|
|
<td>Indicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--server-only</code></td>
|
|
<td>When set, Citadel only serves as a server without writing the Kubernetes secrets. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--sign-ca-certs</code></td>
|
|
<td>Whether Citadel signs certificates for other CAs. </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--signing-cert <string></code></td>
|
|
<td>Path to the CA signing certificate file. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--signing-key <string></code></td>
|
|
<td>Path to the CA signing key file. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--trust-domain <string></code></td>
|
|
<td>The domain serves to identify the system with SPIFFE. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--upstream-ca-address <string></code></td>
|
|
<td>The IP:port address of the upstream CA. When set, the CA will rely on the upstream Citadel to provision its own certificate. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--workload-cert-grace-period-ratio <float32></code></td>
|
|
<td>The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default `0.5`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--workload-cert-ttl <duration></code></td>
|
|
<td>The TTL of issued workload certificates. (default `2160h0m0s`)</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<h2 id="istio_ca-probe">istio_ca probe</h2>
|
|
<p>Check the liveness or readiness of a locally-running server</p>
|
|
<pre class="language-bash"><code>istio_ca probe [flags]
|
|
</code></pre>
|
|
<table class="command-flags">
|
|
<thead>
|
|
<tr>
|
|
<th>Flags</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td><code>--ctrlz_address <string></code></td>
|
|
<td>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--ctrlz_port <uint16></code></td>
|
|
<td>The IP port to use for the ControlZ introspection facility (default `9876`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--interval <duration></code></td>
|
|
<td>Duration used for checking the target file's last modified time. (default `0s`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_as_json</code></td>
|
|
<td>Whether to format output as JSON or in plain console-friendly format </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_caller <string></code></td>
|
|
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_output_level <string></code></td>
|
|
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate <string></code></td>
|
|
<td>The path for the optional rotating log file (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_age <int></code></td>
|
|
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_backups <int></code></td>
|
|
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_size <int></code></td>
|
|
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_stacktrace_level <string></code></td>
|
|
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_target <stringArray></code></td>
|
|
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--probe-path <string></code></td>
|
|
<td>Path of the file for checking the availability. (default ``)</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<h2 id="istio_ca-version">istio_ca version</h2>
|
|
<p>Prints out build version information</p>
|
|
<pre class="language-bash"><code>istio_ca version [flags]
|
|
</code></pre>
|
|
<table class="command-flags">
|
|
<thead>
|
|
<tr>
|
|
<th>Flags</th>
|
|
<th>Shorthand</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td><code>--ctrlz_address <string></code></td>
|
|
<td></td>
|
|
<td>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--ctrlz_port <uint16></code></td>
|
|
<td></td>
|
|
<td>The IP port to use for the ControlZ introspection facility (default `9876`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_as_json</code></td>
|
|
<td></td>
|
|
<td>Whether to format output as JSON or in plain console-friendly format </td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_caller <string></code></td>
|
|
<td></td>
|
|
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_output_level <string></code></td>
|
|
<td></td>
|
|
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate <string></code></td>
|
|
<td></td>
|
|
<td>The path for the optional rotating log file (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_age <int></code></td>
|
|
<td></td>
|
|
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_backups <int></code></td>
|
|
<td></td>
|
|
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_rotate_max_size <int></code></td>
|
|
<td></td>
|
|
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_stacktrace_level <string></code></td>
|
|
<td></td>
|
|
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--log_target <stringArray></code></td>
|
|
<td></td>
|
|
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--output <string></code></td>
|
|
<td><code>-o</code></td>
|
|
<td>One of 'yaml' or 'json'. (default ``)</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>--short</code></td>
|
|
<td><code>-s</code></td>
|
|
<td>Use --short=false to generate full version information </td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<h2 id="envvars">Environment variables</h2>
|
|
These environment variables affect the behavior of the <code>istio_ca</code> command.
|
|
<table class="envvars">
|
|
<thead>
|
|
<tr>
|
|
<th>Variable Name</th>
|
|
<th>Type</th>
|
|
<th>Default Value</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td><code>CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR</code></td>
|
|
<td>Boolean</td>
|
|
<td><code>true</code></td>
|
|
<td>If true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>CITADEL_ENABLE_NAMESPACES_BY_DEFAULT</code></td>
|
|
<td>Boolean</td>
|
|
<td><code>true</code></td>
|
|
<td>Determines whether unlabeled namespaces should be targeted by this Citadel instance</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>CITADEL_SELF_SIGNED_CA_CERT_TTL</code></td>
|
|
<td>Time Duration</td>
|
|
<td><code>87600h0m0s</code></td>
|
|
<td>The TTL of self-signed CA root certificate.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL</code></td>
|
|
<td>Time Duration</td>
|
|
<td><code>1h0m0s</code></td>
|
|
<td>The interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILE</code></td>
|
|
<td>Integer</td>
|
|
<td><code>20</code></td>
|
|
<td>Grace period percentile for self-signed root cert.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>CITADEL_WORKLOAD_CERT_MIN_GRACE_PERIOD</code></td>
|
|
<td>Time Duration</td>
|
|
<td><code>10m0s</code></td>
|
|
<td>The minimum workload certificate rotation grace period.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>JWT_POLICY</code></td>
|
|
<td>String</td>
|
|
<td><code>third-party-jwt</code></td>
|
|
<td>The JWT validation policy.</td>
|
|
</tr>
|
|
<tr>
|
|
<td><code>NAMESPACE</code></td>
|
|
<td>String</td>
|
|
<td><code></code></td>
|
|
<td></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<h2 id="metrics">Exported metrics</h2>
|
|
<table class="metrics">
|
|
<thead>
|
|
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr><td><code>citadel_secret_controller_csr_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when creating the CSR.</td></tr>
|
|
<tr><td><code>citadel_secret_controller_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
|
|
<tr><td><code>citadel_secret_controller_secret_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates recreated due to secret deletion (service account still exists).</td></tr>
|
|
<tr><td><code>citadel_secret_controller_svc_acc_created_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates created due to service account creation.</td></tr>
|
|
<tr><td><code>citadel_secret_controller_svc_acc_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates deleted due to service account deletion.</td></tr>
|
|
<tr><td><code>citadel_server_authentication_failure_count</code></td><td><code>Sum</code></td><td>The number of authentication failures.</td></tr>
|
|
<tr><td><code>citadel_server_csr_count</code></td><td><code>Sum</code></td><td>The number of CSRs received by Citadel server.</td></tr>
|
|
<tr><td><code>citadel_server_csr_parsing_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when parsing the CSR.</td></tr>
|
|
<tr><td><code>citadel_server_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
|
|
<tr><td><code>citadel_server_id_extraction_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when extracting the ID from CSR.</td></tr>
|
|
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.</td></tr>
|
|
<tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
|
|
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
|
|
</tbody>
|
|
</table>
|