search

istio / istio.io

Source for the istio.io site
https://istio.io/
Apache License 2.0
761 stars 1.54k forks source link

Issue with docs/ops/configuration/security/root-transition/index.md #8089

Closed woodliu closed 5 months ago

woodliu commented 4 years ago

The script in this step is not fit for the 1.7 Istio. And the pod with Envoy sidecar not restart after extending the CA lifetime

rootsongjc commented 4 years ago

I have an Istio 1.7 cluster, I'll test it out tomorrow.

sandyhu533 commented 4 years ago

I test in Istio 1.7.2 cluster with the following step:

  1. change ca and restart istiod 
    kubectl delete secret cacerts -n istio-system
kubectl create secret generic cacerts -n istio-system --from-file=ca-cert.pem --from-file=ca-key.pem --from-file=root-cert.pem --from-file=cert-chain.pem
kubectl rollout restart deployment/istiod -n istio-system
  2. the certs in dataplane pod remain unchange and the new istio CRD can't apply to envoy
  3. restart all dataplane deployment 
    kubectl rollout restart deployment/sleep
  4. certs are changed and CRDs are applied

my test env:

istioctl version client version: 1.7.2 control plane version: 1.7.2 data plane version: 1.7.2 (1 proxies)

conclusion: in 1.7.2, 'Extending Self-Signed Certificate Lifetime' may need to rollout restart istiod and all deployment

howardjohn commented 5 months ago

This doc is removed