From af3ae84f93b889c13459811deaa09a0d211a5d75 Mon Sep 17 00:00:00 2001 From: William Gabor Date: Fri, 11 Jul 2025 09:43:43 -0400 Subject: [PATCH] OCPBUGS-57841 updated several modules --- .../cert-manager-istio-creating-issuer.adoc | 15 +++------- .../cert-manager-istio-csr-installing.adoc | 29 ++++++++++++------- .../cert-manager-istio-csr-uninstalling.adoc | 2 +- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/modules/cert-manager-istio-creating-issuer.adoc b/modules/cert-manager-istio-creating-issuer.adoc index e94861d2237b..d7a7f57265d6 100644 --- a/modules/cert-manager-istio-creating-issuer.adoc +++ b/modules/cert-manager-istio-creating-issuer.adoc @@ -15,13 +15,6 @@ Other supported issuers can be used, except for the ACME issuer, which is not su .Procedure -. Create a new project for installing Istio-CSR by running the following command. If you have an existing project for installing Istio-CSR, skip this step. -+ -[source,terminal] ----- -$ oc new-project ----- - . Create a YAML file that defines the `Issuer` and `Certificate` objects: + .Example `issuer.yaml` file @@ -31,7 +24,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer <1> metadata: name: selfsigned - namespace: <2> + namespace: <2> spec: selfSigned: {} --- @@ -39,7 +32,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: istio-ca - namespace: + namespace: spec: isCA: true duration: 87600h # 10 years @@ -61,7 +54,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer <1> metadata: name: istio-ca - namespace: <2> + namespace: <2> spec: ca: secretName: istio-ca @@ -75,7 +68,7 @@ spec: + [source,terminal] ---- -$ oc get issuer istio-ca -n +$ oc get issuer istio-ca -n ---- + .Example output diff --git a/modules/cert-manager-istio-csr-installing.adoc b/modules/cert-manager-istio-csr-installing.adoc index c82a3a210814..b57d89f4e56c 100644 --- a/modules/cert-manager-istio-csr-installing.adoc +++ b/modules/cert-manager-istio-csr-installing.adoc @@ -16,26 +16,33 @@ Use this procedure to install the Istio-CSR agent through {cert-manager-operator + [NOTE] ==== -If you are using `Issuer` resource, create the `Issuer` and `Certificate` resources in the {SMProductName} or `Istiod` namespace. Certificate requests are generated in the same namespace, and role-based access control (RBAC) is configured accordingly. -==== +If you are using `Issuer` resource, create the `Issuer` and `Certificate` resources in the {SMProductName} or `Istiod` namespace. Certificate requests are generated in the same namespace, and role-based access control (RBAC) is configured accordingly. +==== .Procedure +. Create a new project for installing Istio-CSR by running the following command. If you have an existing project for installing Istio-CSR, skip this step. ++ +[source,terminal] +---- +$ oc new-project +---- + . Create the `IstioCSR` custom resource to enable Istio-CSR agent managed by the {cert-manager-operator} for processing Istio workload and control plane certificate signing requests. + -[NOTE] -==== -Only one `IstioCSR` custom resource (CR) is supported at a time. If multiple `IstioCSR` CRs are created, only one will be active. Use the `status` sub-resource of `IstioCSR` to check if a resource is unprocessed. +[NOTE] +==== +Only one `IstioCSR` custom resource (CR) is supported at a time. If multiple `IstioCSR` CRs are created, only one will be active. Use the `status` sub-resource of `IstioCSR` to check if a resource is unprocessed. -* If multiple `IstioCSR` CRs are created simultaneously, none will be processed. -* If multiple `IstioCSR` CRs are created sequentially, only the first one will be processed. +* If multiple `IstioCSR` CRs are created simultaneously, none will be processed. +* If multiple `IstioCSR` CRs are created sequentially, only the first one will be processed. * To prevent new requests from being rejected, delete any unprocessed `IstioCSR` CRs. -* The Operator does not automatically remove objects created for `IstioCSR`. If an active `IstioCSR` resource is deleted and a new one is created in a different namespace without removing the previous deployments, multiple `istio-csr` deployments may remain active. This behavior is not recommended and is not supported. -==== +* The Operator does not automatically remove objects created for `IstioCSR`. If an active `IstioCSR` resource is deleted and a new one is created in a different namespace without removing the previous deployments, multiple `istio-csr` deployments may remain active. This behavior is not recommended and is not supported. +==== .. Create a YAML file that defines the `IstioCSR` object: + -.Example `IstioCSR` CR +.Example `IstioCSR` CR [source,yaml] ---- apiVersion: operator.openshift.io/v1alpha1 @@ -53,7 +60,7 @@ spec: istiodTLSConfig: trustDomain: cluster.local istio: - namespace: istio-system + namespace: ---- <1> Specify the `Issuer` or `ClusterIssuer` name. It should be the same name as the CA issuer defined in the `issuer.yaml` file. <2> Specify the `Issuer` or `ClusterIssuer` kind. It should be the same kind as the CA issuer defined in the `issuer.yaml` file. diff --git a/modules/cert-manager-istio-csr-uninstalling.adoc b/modules/cert-manager-istio-csr-uninstalling.adoc index 440fc3763bbd..c22a113a5aca 100644 --- a/modules/cert-manager-istio-csr-uninstalling.adoc +++ b/modules/cert-manager-istio-csr-uninstalling.adoc @@ -20,7 +20,7 @@ Use this procedure to uninstall the Istio-CSR agent managed by {cert-manager-ope + [source,terminal] ---- -$ oc -n delete istiocsrs.operator.openshift.io default +$ oc -n delete istiocsrs.operator.openshift.io default ---- . Remove related resources: