Closed john-a-joyce closed 1 year ago
john-a-joyce
commented
2 years ago Also I am happy to prepare the fix for this if the above suggestion is agreed to. Also as I understand the contributing guides I would only need to be fixed in the English version.
dhawton
commented
1 year ago ds is a Kubernetes abbreviation for "daemonset". So ds/ztunnel is valid, though an abbreviation for daemonset/ztunnel. Referencing the daemonset is easier for copy/paste demonstration purposes.
john-a-joyce
commented
1 year ago My bad on the DS abbreviation should have realized that was deamonset. So it isn't that the command was invalid as I initially suggested but in my setup running the command on the deamon set returns no output/secrets. While running on 2 of the 3 pods provides the secrets. Here is some output.
ubuntu@eti-joycej-1:~/ambient/ambient$ ../istioctl pc secret ds/ztunnel -n istio-system -o json
{
}
ubuntu@eti-joycej-1:~/ambient/ambient$ ../istioctl pc secret ds/ztunnel -n istio-system
No active or warming secrets found.
ubuntu@eti-joycej-1:~/ambient/ambient$ kubectl get ds -A
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
istio-system istio-cni-node 3 3 3 3 3 kubernetes.io/os=linux 4d21h
istio-system ztunnel 3 3 3 3 3 <none> 4d21h
kube-system kindnet 3 3 3 3 3 <none> 6d
kube-system kube-proxy 3 3 3 3 3 kubernetes.io/os=linux 6d
metallb-system speaker 3 3 3 3 3 kubernetes.io/os=linux 6d../istioctl version
client version: 0.0.0-ambient.191fe680b52c1754ee72a06b3e0d3f9d116f2e82
control plane version: 0.0.0
data plane version: 0.0.0-ambient.191fe680b52c1754ee72a06b3e0d3f9d116f2e82 (6 proxies)While running the command on 2 of the 3 pods produces the secret. One of the pods also had no secrets.
../istioctl pc secret ztunnel-scg6h.istio-system -o json | jq -r '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | base64 --decode | openssl x509 -noout -text -in /dev/stdin | more
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:55:8d:fd:60:98:b1:c9:ba:6d:97:50:58:51:40:b5
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = cluster.local
Validity
Not Before: Nov 14 08:58:26 2022 GMT
Not After : Nov 15 09:00:26 2022 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dc:33:72:67:d6:85:05:ef:09:58:f9:66:d1:34:
c5:65:55:b4:2c:23:9b:b9:68:4b:b2:52:d4:cc:68:
rolfedh
commented
1 year ago Use the following command as a model but replace the pod name(s) from your deployment.
Would it improve clarity for some users if we used angle brackets for place holders? https://preliminary.istio.io/latest/docs/releases/contribute/formatting/#use-angle-brackets-for-placeholders
john-a-joyce
commented
1 year ago @rolfedh - that would help but the issue here is that in my setup no secrets were displayed when I specified a daemon set, but worked using a pod. I am not sure if they are supposed to be there or only on the pods.
john-a-joyce
commented
1 year ago It looks like the docs have updated so its clear why you might not get output.
I believe there is a small typo in the get-started-ambient in this line:
"If you are curious about the X.509 certificate for each identity, you can learn more about it by stepping through a certificate:
{{< text bash >}} $ istioctl pc secret ds/ztunnel -n istio-system -o json | jq -r"
Specifically the type appears wrong (I don't think ds is a valid type) and the name is truncated from a real example. A possible fix is:
"If you are curious about the X.509 certificate for each identity, you can learn more about it by stepping through a certificate. Use the following command as a model but replace the pod name(s) from your deployment.
{{< text bash >}} $ istioctl pc secret ztunnel-tcn4m -n istio-system -o json | jq -r"