Open SataQiu opened 4 years ago
Source File: /docs/tasks/security/authorization/authz-td-migration/index.md Diff:
diff --git a/content/en/docs/tasks/security/authorization/authz-td-migration/index.md b/content/en/docs/tasks/security/authorization/authz-td-migration/index.md index 20ad1b312..f20b75814 100644 --- a/content/en/docs/tasks/security/authorization/authz-td-migration/index.md +++ b/content/en/docs/tasks/security/authorization/authz-td-migration/index.md @@ -1,7 +1,7 @@ --- title: Authorization Policy Trust Domain Migration description: Shows how to migrate from one trust domain to another without changing authorization policy. -weight: 40 +weight: 60 keywords: [security,access-control,rbac,authorization,trust domain, migration] --- @@ -20,18 +20,7 @@ In Istio 1.4, we introduce an alpha feature to support {{< gloss >}}trust domain 1. Install Istio with a custom trust domain and mutual TLS enabled. {{< text bash >}} - $ cat <<EOF > ./td-installation.yaml - apiVersion: install.istio.io/v1alpha2 - kind: IstioControlPlane - spec: - values: - global: - controlPlaneSecurityEnabled: false - mtls: - enabled: true - trustDomain: old-td - EOF - $ istioctl manifest apply --set profile=demo -f td-installation.yaml + $ istioctl manifest apply --set profile=demo --set values.global.trustDomain=old-td {{< /text >}} 1. Deploy the [httpbin]({{< github_tree >}}/samples/httpbin) sample in the `default` namespace @@ -95,33 +84,11 @@ Notice that it may take tens of seconds for the authorization policy to be propa 1. Install Istio with a new trust domain. {{< text bash >}} - $ cat <<EOF > ./td-installation.yaml - apiVersion: install.istio.io/v1alpha2 - kind: IstioControlPlane - spec: - values: - global: - controlPlaneSecurityEnabled: false - mtls: - enabled: true - trustDomain: new-td - EOF - $ istioctl manifest apply --set profile=demo -f td-installation.yaml + $ istioctl manifest apply --set profile=demo --set values.global.trustDomain=new-td {{< /text >}} Istio mesh is now running with a new trust domain, `new-td`. -1. Delete secrets of `sleep` and `httpbin` in `default` namespace and in `sleep-allow` namespace. Notice if you install Istio with SDS, -you don't need to follow this step. Learn more about [Provisioning Identity through SDS](/docs/tasks/security/citadel-config/auth-sds/) - - {{< text bash >}} - $ kubectl delete secrets istio.sleep; kubectl delete secrets istio.httpbin; - {{< /text >}} - - {{< text bash >}} - $ kubectl delete secrets istio.sleep -n sleep-allow - {{< /text >}} - 1. Redeploy the `httpbin` and `sleep` applications to pick up changes from the new Istio control plane. {{< text bash >}} @@ -157,14 +124,11 @@ you don't need to follow this step. Learn more about [Provisioning Identity thro {{< text bash >}} $ cat <<EOF > ./td-installation.yaml - apiVersion: install.istio.io/v1alpha2 - kind: IstioControlPlane + apiVersion: install.istio.io/v1alpha1 + kind: IstioOperator spec: values: global: - controlPlaneSecurityEnabled: false - mtls: - enabled: true trustDomain: new-td trustDomainAliases: - old-td @@ -201,8 +165,8 @@ as the old trust domain without you having to include the aliases. {{< text bash >}} $ kubectl delete authorizationpolicy service-httpbin.default.svc.cluster.local -$ kubectl delete deploy httpbin; k delete service httpbin; k delete serviceaccount httpbin -$ kubectl delete deploy sleep; k delete service sleep; k delete serviceaccount sleep +$ kubectl delete deploy httpbin; kubectl delete service httpbin; kubectl delete serviceaccount httpbin +$ kubectl delete deploy sleep; kubectl delete service sleep; kubectl delete serviceaccount sleep $ kubectl delete namespace sleep-allow $ istioctl manifest generate --set profile=demo -f td-installation.yaml | kubectl delete -f - -{{< /text >}} \ No newline at end of file +{{< /text >}}
/accept
Thank you @SataQiu, this issue had been assigned to you.
Source File: /docs/tasks/security/authorization/authz-td-migration/index.md Diff: