Skip to content

OCPBUGS-57841 updated two istio modules #95996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+20 −20
Open

OCPBUGS-57841 updated two istio modules #95996

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions modules/cert-manager-istio-creating-issuer.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ Other supported issuers can be used, except for the ACME issuer, which is not su
.Procedure

. Create a new project for installing Istio-CSR by running the following command. If you have an existing project for installing Istio-CSR, skip this step.
+
[source,terminal]
----
$ oc new-project <istio_csr_project_name>
----
+
[source,terminal]
----
$ oc new-project <istio_csr_project_name>
----

. Create a YAML file that defines the `Issuer` and `Certificate` objects:
+
Expand All @@ -31,15 +31,15 @@ apiVersion: cert-manager.io/v1
kind: Issuer <1>
metadata:
name: selfsigned
namespace: <istio_csr_project_name> <2>
namespace: <istio_project_name> <2>
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-ca
namespace: <istio_csr_project_name>
namespace: <istio_project_name>
spec:
isCA: true
duration: 87600h # 10 years
Expand All @@ -61,7 +61,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer <1>
metadata:
name: istio-ca
namespace: <istio_csr_project_name> <2>
namespace: <istio_project_name> <2>
spec:
ca:
secretName: istio-ca
Expand All @@ -75,7 +75,7 @@ spec:
+
[source,terminal]
----
$ oc get issuer istio-ca -n <istio_csr_project_name>
$ oc get issuer istio-ca -n <istio_project_name>
----
+
.Example output
Expand Down
22 changes: 11 additions & 11 deletions modules/cert-manager-istio-csr-installing.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,26 +16,26 @@ Use this procedure to install the Istio-CSR agent through {cert-manager-operator
+
[NOTE]
====
If you are using `Issuer` resource, create the `Issuer` and `Certificate` resources in the {SMProductName} or `Istiod` namespace. Certificate requests are generated in the same namespace, and role-based access control (RBAC) is configured accordingly.
====
If you are using `Issuer` resource, create the `Issuer` and `Certificate` resources in the {SMProductName} or `Istiod` namespace. Certificate requests are generated in the same namespace, and role-based access control (RBAC) is configured accordingly.
====

.Procedure

. Create the `IstioCSR` custom resource to enable Istio-CSR agent managed by the {cert-manager-operator} for processing Istio workload and control plane certificate signing requests.
+
[NOTE]
====
Only one `IstioCSR` custom resource (CR) is supported at a time. If multiple `IstioCSR` CRs are created, only one will be active. Use the `status` sub-resource of `IstioCSR` to check if a resource is unprocessed.
[NOTE]
====
Only one `IstioCSR` custom resource (CR) is supported at a time. If multiple `IstioCSR` CRs are created, only one will be active. Use the `status` sub-resource of `IstioCSR` to check if a resource is unprocessed.

* If multiple `IstioCSR` CRs are created simultaneously, none will be processed.
* If multiple `IstioCSR` CRs are created sequentially, only the first one will be processed.
* If multiple `IstioCSR` CRs are created simultaneously, none will be processed.
* If multiple `IstioCSR` CRs are created sequentially, only the first one will be processed.
* To prevent new requests from being rejected, delete any unprocessed `IstioCSR` CRs.
* The Operator does not automatically remove objects created for `IstioCSR`. If an active `IstioCSR` resource is deleted and a new one is created in a different namespace without removing the previous deployments, multiple `istio-csr` deployments may remain active. This behavior is not recommended and is not supported.
====
* The Operator does not automatically remove objects created for `IstioCSR`. If an active `IstioCSR` resource is deleted and a new one is created in a different namespace without removing the previous deployments, multiple `istio-csr` deployments may remain active. This behavior is not recommended and is not supported.
====

.. Create a YAML file that defines the `IstioCSR` object:
+
.Example `IstioCSR` CR
.Example `IstioCSR` CR
[source,yaml]
----
apiVersion: operator.openshift.io/v1alpha1
Expand All @@ -53,7 +53,7 @@ spec:
istiodTLSConfig:
trustDomain: cluster.local
istio:
namespace: istio-system
namespace: <istio_project_name>
----
<1> Specify the `Issuer` or `ClusterIssuer` name. It should be the same name as the CA issuer defined in the `issuer.yaml` file.
<2> Specify the `Issuer` or `ClusterIssuer` kind. It should be the same kind as the CA issuer defined in the `issuer.yaml` file.
Expand Down