api icon indicating copy to clipboard operation
api copied to clipboard
verified publisher icon istio

Issue with docs/reference/config/networking/gateway/index.html

Open farcaller opened this issue 4 years ago • 2 comments

ServerTLSSettings.credentialName states:

For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. Applicable only on Kubernetes. The secret (of type generic) should contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS, cacert: <CACertificate> can be provided in the same secret or a separate secret named -cacert. Secret of type tls for server certificates along with ca.crt key for CA certificates is also supported. Only one of server certificates and CA certificate or credentialName can be specified.

It seems that the keys aren't correct (or are partially incorrect), as istio will ingest keys tls.crt / tls.key for a secret of type kubernetes.io/tls.

This documentation is also missing a crucial point that the secret referenced in credentialName must reside in the same namespace as the ingress gateway.

farcaller avatar Feb 19 '21 11:02 farcaller

I expect the snippet you are referring to come from here:

https://github.com/istio/api/blob/master/networking/v1alpha3/gateway.pb.html#L771. for preliminary.istio.io and from the release-9 branch for istio.io.

I'll transfer this issue to the api repo.

ericvn avatar Feb 19 '21 14:02 ericvn

"Secret of type tls for server certificates along with ca.crt key for CA certificates is also supported." is intending to cover this. It should probably say

"Secret of type kubernetes.io/tls, with keys tls.crt and tls.key for server certificates, along with ca.crt key for CA certificates is also supported."

howardjohn avatar Feb 19 '21 16:02 howardjohn

This has been updated at some point to include this

howardjohn avatar May 14 '24 22:05 howardjohn