Skip to content

task cert-management/custom-ca-k8s: preliminary doc tests #9707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

task cert-management/custom-ca-k8s: preliminary doc tests #9707

wants to merge 2 commits into from

Conversation

shankgan
Copy link
Contributor

@shankgan shankgan commented May 10, 2021
edited by istio-policy-bot
Loading

Adding doc tests for security:custom ca task

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

@shankgan shankgan requested a review from a team as a code owner May 10, 2021 22:57
@istio-policy-bot
Copy link

😊 Welcome! This is either your first contribution to the Istio documentation repo, or
it's been awhile since you've been here. A few things you should know:

  • You can learn about how we write and maintain documentation, about our style guidelines,
    and about all the available web site features by visiting Contributing to the Docs.

  • In the next few minutes, an automatic preview of your change will be
    built as a full copy of the istio.io website. You can find this preview by clicking on
    the Details link next to the deploy/netlify entry in the Status section of this
    page.

  • We care about quality, so we've put in place a number of checks to ensure our documentation
    is top notch. We do spell checking, we sanitize the markdown, we ensure all hyperlinks point
    to valid location, and more. If your PR doesn't pass one of these checks, you'll see a red X in the
    status section of the page. Click on the Details link to get a list of the problems with your PR.
    Fix those problems and push an update to your PR. This will automatically rerun the tests and
    hopefully this time everything will be perfect.

  • Once your changes are accepted and merged into the repository, they will initially show up
    on https://preliminary.istio.io. The changes will be published to https://istio.io
    the next time we do a major release (which typically happens every 3 months or so).

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@google-cla google-cla bot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label May 10, 2021
@istio-testing istio-testing added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 10, 2021
@shankgan shankgan added the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label May 10, 2021
ericvn
ericvn reviewed May 11, 2021
View reviewed changes
content/en/docs/tasks/security/cert-management/custom-ca-k8s/index.md Outdated
{{< /text >}}

The proxy_secret json file contains the CA root certificate for mTLS in the `trustedCA` field. Note that this certificate is base64 encoded.

1. The certificate used by the Kubernetes CA (specifically the `kubernetes.io/legacy-unknown` signer) is loaded onto the secret associated with every service account in the bookinfo namespace.
2. The certificate used by the Kubernetes CA (specifically the `kubernetes.io/legacy-unknown` signer) is loaded onto the secret associated with every service account in the bookinfo namespace. k get secret/$secret -n istio-system -o json | jq '.data."ca.crt"' | sed 's/\"//g' | base64 -d
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use 1. for all items. If things are getting reset, it is usually an issue with indentation.

content/en/docs/tasks/security/cert-management/custom-ca-k8s/index.md
### Verify that the certificates installed are correct

When the workloads are deployed, above, they send CSR Requests to Istiod which forwards them to the Kubernetes CA for signing.
If all goes well, the signed certificates are sent back to the workloads where they are then installed.
To verify that they have been signed by the Kubernetes CA, you need to first extract the signed certificates.

1. Dump all pods running in the namespace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice you remove the installation of Bookinfo, but there is still an instruction below to follow the rest of the Bookinfo steps.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is an optional step, if the users want to explore mTLS with the custom ca signed certs. Are you suggesting that we add more detailed instructions/tests for this step? Or remove it?

@shankgan shankgan force-pushed the externalca_doctest branch from 9cf7986 to 9e52193 Compare May 12, 2021 21:07
@ericvn
Copy link
Contributor

ericvn commented May 27, 2021

/test doc.test.profile_none_istio.io

@istio-testing
Copy link
Contributor

@shankgan: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Jun 21, 2021
@istio-testing
Copy link
Contributor

@shankgan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
lint_istio.io 9e52193 link /test lint_istio.io
doc.test.profile_none_istio.io 9e52193 link true /test doc.test.profile_none
doc.test.profile_default_istio.io 9e52193 link true /test doc.test.profile_default
doc.test.profile_demo_istio.io 9e52193 link true /test doc.test.profile_demo
doc.test.multicluster_istio.io 9e52193 link true /test doc.test.multicluster
doc.test.profile_minimal_istio.io 9e52193 link true /test doc.test.profile_minimal
doc.test.profile-demo_istio.io 9e52193 link true /test doc.test.profile-demo
doc.test.profile-default_istio.io 9e52193 link true /test doc.test.profile-default
doc.test.profile-none_istio.io 9e52193 link true /test doc.test.profile-none
doc.test.profile-minimal_istio.io 9e52193 link true /test doc.test.profile-minimal

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

craigbox
craigbox reviewed Nov 9, 2023
View reviewed changes
Copy link
Contributor

@craigbox craigbox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any chance you still want to rebase and get this one merged, @shankgan?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craigbox craigbox craigbox left review comments

@ericvn ericvn ericvn left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. needs-rebase Indicates a PR needs to be rebased before being merged size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@shankgan @istio-policy-bot @ericvn @istio-testing @craigbox