istio.io icon indicating copy to clipboard operation
istio.io copied to clipboard
verified publisher icon istio

mTLS secret generation docs incorrect

Open shmargum opened this issue 3 years ago • 1 comments

TLS secret generation docs appear to be incorrect, link: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway

the listed key formats seem to work and are correct:

  • A TLS Secret with keys tls.key and tls.crt, as described above. For mutual TLS, a ca.crt key can be used.
  • A generic Secret with keys key and cert. For mutual TLS, a cacert key can be used.

the examples given are incorrect:

  • kubectl create -n istio-system secret tls httpbin-credential --key=httpbin.example.com.key --cert=httpbin.example.com.crt
  • kubectl create -n istio-system secret generic httpbin-credential --from-file=tls.key=httpbin.example.com.key --from-file=tls.crt=httpbin.example.com.crt --from-file=ca.crt=example.com.crt

the correct command for a generic secret would be:

  • kubectl create -n istio-system secret generic httpbin-credential --from-file=key=httpbin.example.com.key --from-file=cert=httpbin.example.com.crt --from-file=cacert=example.com.crt

i have not tested tls type secrets, but docs definitely provide conflicting info

shmargum avatar Jan 06 '22 21:01 shmargum

Agree the doc is wrong - the type of the secret doesn't matter, only the keys

howardjohn avatar Jan 14 '22 04:01 howardjohn