Fix auth installation and its references. #5482
Conversation
| @@ -49,8 +49,7 @@ This approach has the following benefits: | |||
|
|
|||
| ## Before you begin | |||
|
|
|||
| * Follow the [install instructions](/docs/setup/install/istioctl/) | |||
| to set up Istio with SDS and global mutual TLS enabled. | |||
| Follow the [Istio installation guide](/docs/setup/install/helm/) to set up Istio with SDS and global mutual TLS enabled. | |||
There was a problem hiding this comment.
Can't we do this with istioctl?
There was a problem hiding this comment.
Yes, I need to test it. I will update to istioctl once I verified it's working.
There was a problem hiding this comment.
It's still not working. We will update this when we have fixed it.
| @@ -130,7 +130,18 @@ $ helm template install/kubernetes/helm/istio --name istio --namespace istio-sys | |||
|
|
|||
| {{< /tab >}} | |||
|
|
|||
| {{< tab name="sds" cookie-value="sds" >}} | |||
| {{< tab name="mTLS enabled" cookie-value="mtls" >}} | |||
There was a problem hiding this comment.
| {{< tab name="mTLS enabled" cookie-value="mtls" >}} | |
| {{< tab name="demo mTLS" cookie-value="mtls" >}} |
There was a problem hiding this comment.
Frank, let's not call it "demo" since we have decided to not have two demos :)
There was a problem hiding this comment.
The instruction says to choose a configuration profile (https://deploy-preview-5482--preliminary-istio.netlify.com/docs/setup/additional-setup/config-profiles/), so you can't just say "Mutual TLS" on the label, since there's no such profile.
Currently your tab is installing the demo profile with mTLS enabled. If you don't want to label it as such, then I suggest changing the contents of that tab to say that you can turn on mTLS for any configuration profile and explain what options the user needs to set and then give the instruction as just an example. Take a look at the CNI tab, it is written that way.
I would also change the SDS tab back to just sds, like it was before, because the configuration profiles already says that the sds profile turns on mutual TLS.
I would also suggest putting the Mutual TLS tab second last, after sds but before CNI, so the first 4 are straight profile selections, while the last 2 are how to turn on a special feature with any profile.
|
|
||
| {{< /tab >}} | ||
|
|
||
| {{< tab name="mTLS (SDS) enabled" cookie-value="sds" >}} |
There was a problem hiding this comment.
| {{< tab name="mTLS (SDS) enabled" cookie-value="sds" >}} | |
| {{< tab name="sds mTLS" cookie-value="sds" >}} |
| @@ -225,7 +236,18 @@ $ helm install install/kubernetes/helm/istio --name istio --namespace istio-syst | |||
|
|
|||
| {{< /tab >}} | |||
|
|
|||
| {{< tab name="sds" cookie-value="sds" >}} | |||
| {{< tab name="mTLS enabled" cookie-value="mtls" >}} | |||
There was a problem hiding this comment.
| {{< tab name="mTLS enabled" cookie-value="mtls" >}} | |
| {{< tab name="demo mTLS" cookie-value="mtls" >}} |
|
|
||
| {{< /tab >}} | ||
|
|
||
| {{< tab name="mTLS (SDS) enabled" cookie-value="sds" >}} |
There was a problem hiding this comment.
| {{< tab name="mTLS (SDS) enabled" cookie-value="sds" >}} | |
| {{< tab name="sds mTLS" cookie-value="sds" >}} |
| @@ -304,7 +326,18 @@ $ kubectl delete namespace istio-system | |||
|
|
|||
| {{< /tab >}} | |||
|
|
|||
| {{< tab name="sds" cookie-value="sds" >}} | |||
| {{< tab name="mTLS enabled" cookie-value="mtls" >}} | |||
There was a problem hiding this comment.
| {{< tab name="mTLS enabled" cookie-value="mtls" >}} | |
| {{< tab name="demo mTLS" cookie-value="mtls" >}} |
|
|
||
| {{< /tab >}} | ||
|
|
||
| {{< tab name="mTLS (SDS) enabled" cookie-value="sds" >}} |
There was a problem hiding this comment.
| {{< tab name="mTLS (SDS) enabled" cookie-value="sds" >}} | |
| {{< tab name="sds mTLS" cookie-value="sds" >}} |
|
@geeknoid, I think it's OK to use |
Fix according to the feedback. Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
|
Talked with @geeknoid, mTLS is not straight-forward for average readers. I agree we should use "Mutual TLS" here. |
In previous PRs, we removed "demo-auth" from the installation guide, but we didn't add general auth enablement instructions, so users won't be able to learn how to enable auth from the installation page. Also the security tasks are referring to the installation page which is missing the security enablement instructions. This PR fixes these issues.