Setting pilot.jwksResolverExtraRootCA in IstioOperator

Hi everybody,

I need to set a CA certificate in jwksResolverExtraRootCA.

I’d really like to do it via IstioOperator because I install using istioctl and have different customizations to the default profile.

I’ve tried with:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  meshConfig:
    accessLogEncoding: TEXT
    accessLogFile: "/dev/stdout"
    accessLogFormat: ""
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
  values:
     pilot.jwksResolverExtraRootCA: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
  components:
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        ...

But this gives the error:
Unknown field “pilot.jwksResolverExtraRootCA” in v1alpha1.Values

Is the jwksResolverExtraRootCA available in IstioOperator (now that Helm is being deprecated)?

Best regards
Jesper

I think you’re using the wrong syntax, try the following:

  values:
     pilot:
       jwksResolverExtraRootCA: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----

Thanks for a quick reply… and of course, you are right!
It works now.

Best regards
Jesper

The solution seem to pertain to editing the values file in the helm chart. Is it possible to set this via the operator?

Yes, the example is for the IstioOperator.
Here’s my updated operator:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  meshConfig:
    accessLogEncoding: TEXT
    accessLogFile: "/dev/stdout"
    accessLogFormat: ""
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
  values:
    pilot:
      jwksResolverExtraRootCA: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
  components:
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        ...

Hope that helps.