[enterprise-4.6] Issue in file service_mesh/v2x/ossm-security.adoc

[nicop311]

Hi, there might be a wrong path for the location of the certificates when "Adding an external certificate authority key and certificate".

Suggestion: Replace /etc/certs/root-cert.pem by /var/run/secrets/istio/root-cert.pem in the doc.

Which section(s) is the issue in?

• Direct link
• Path : Documentation > OpenShift Container Platform > [4.6] > Service Mesh > Service Mesh 2.x > Security > Adding an external certificate authority key and certificate > Verifying your certificates

What needs fixing?

The path of the volume where the root-cert.pem certificate is stored on the istio-proxy containers of the Bookinfo application seems to be wrong.

In the doc (as of 2020-11-24), we can see that the path is /etc/certs/root-cert.pem. However in my OpenShift 4.6 testbed, the path is /var/run/secrets/istio/root-cert.pem.

The path /var/run/secrets/istio/root-cert.pem is configured in the following file: on a istio-proxy (envoy) container /etc/istio/proxy/envoy-rev0.json.

$ more /etc/istio/proxy/envoy-rev0.json

[...]
              "validation_context": {
                "trusted_ca": {
                  "filename": "./var/run/secrets/istio/root-cert.pem"
                },
                "match_subject_alt_names": [{"exact":"istiod-full-install.istio-system.svc"}]
              }
[...]

My testbed software version

Red Hat OpenShift

$ oc version

# result
Client Version: 4.6.4
Server Version: 4.6.4
Kubernetes Version: v1.19.0+9f84db3

Red Hat Service Mesh, Maistra

$ oc get operator servicemeshoperator.openshift-operators -o yaml
[...]
servicemeshoperator.v2.0.0.2
[...]

Bookinfo: I take the example from Maistra Github, with no modification.

git clone https://github.com/maistra/istio.git
cd istio

git branch

# result
* [maistra-2](https://issues.redhat.com/browse/maistra-2).0

oc apply -f istio/samples/bookinfo/platform/kube/bookinfo.yaml
[...]etc....[...]

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[jeana-redhat]

Hi @nicop311 - does this apply to 4.6 only, or to subsequent versions as well?

[JStickler]

@jeana-redhat, there were quite a few changes in 4.6, but it should be the same for subsequent versions.

[jeana-redhat]

thanks, Julie!