jesper
1
Hi everybody,
I need to set a CA certificate in jwksResolverExtraRootCA.
I’d really like to do it via IstioOperator because I install using istioctl and have different customizations to the default profile.
I’ve tried with:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: default
meshConfig:
accessLogEncoding: TEXT
accessLogFile: "/dev/stdout"
accessLogFormat: ""
outboundTrafficPolicy:
mode: REGISTRY_ONLY
values:
pilot.jwksResolverExtraRootCA: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
...
But this gives the error:
Unknown field “pilot.jwksResolverExtraRootCA” in v1alpha1.Values
Is the jwksResolverExtraRootCA available in IstioOperator (now that Helm is being deprecated)?
Best regards
Jesper
I think you’re using the wrong syntax, try the following:
values:
pilot:
jwksResolverExtraRootCA: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
jesper
3
Thanks for a quick reply… and of course, you are right!
It works now.
Best regards
Jesper
The solution seem to pertain to editing the values file in the helm chart. Is it possible to set this via the operator?
jesper
5
Yes, the example is for the IstioOperator.
Here’s my updated operator:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
profile: default
meshConfig:
accessLogEncoding: TEXT
accessLogFile: "/dev/stdout"
accessLogFormat: ""
outboundTrafficPolicy:
mode: REGISTRY_ONLY
values:
pilot:
jwksResolverExtraRootCA: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
k8s:
...
Hope that helps.
Does it still works with istioctl 1.19.1? I’m having really hard time in pushing internet proxy certificate for JWT
Regards,
A
Anyone? Please? This works with Helm but I do not want to change the deployment method with istioctl for this.