diff --git a/content/en/docs/Features/istio-component-status.md b/content/en/docs/Features/istio-component-status.md index d9ce35710..89ce416d0 100644 --- a/content/en/docs/Features/istio-component-status.md +++ b/content/en/docs/Features/istio-component-status.md @@ -50,56 +50,4 @@ When you click on the cluster data plane, you can check the basic information of When you click on the "prometheus", "grafana" or "jaeger" node, , its health status, version, and configuration values are displayed: -![Add-on information](/images/documentation/features/istio-status-mesh-add-on.png "Add-on information") - -## Certificate Information Indicators - -In some situations, it is useful to get information about the certificates used by internal mTLS, for example: - -* Know whether the default CA is used or if there is another CA configured. -* Check the certificates issuer and their validity timestamps to troubleshoot any issue with certificates. - -The certificates shown depends on how Istio is configured. The following cases are possible: - -* Using Istio CA certificates (default), the information shown is from a secret named *istio-ca-secret*. -* Using [Plug in CA certificates](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/), the information shown is from a secret named *cacerts*. -* Using [DNS certificates](https://istio.io/latest/docs/ops/integrations/certmanager/), the information shown is from reading many secrets found in Istio configuration. - -The following is an example of viewing the default case: - -![Certificates information](/images/documentation/features/istio-status-certificate-info-indicators.png "Certificates information") - -Note that displaying this configuration requires permissions to read secrets (*istio-ca-secret* by default, possibly *cacerts* or any secret configured when using DNS certificates). - -Having these permissions may concern users. For this reason, this feature is implemented as a feature flag and not only can be disabled, avoiding any extra permissions to read secrets, but also a list of secrets can be configured to explicitly grant read permissions for some secrets in the control plane namespace. By default, this feature is enabled with a Kiali CR configuration equivalent to the following: - -```yaml -spec: - kiali_feature_flags: - certificates_information_indicators: - enabled: true - secrets: - - cacerts - - istio-ca-secret -``` - -You can extend this default configuration with additional secrets, remove secrets you don't want, or disable the feature. - -If you add additional secrets, the Kiali operator _also_ needs the same privileges in order to configure Kiali successfully. If you used the [Helm Charts]({{< ref "/docs/installation/installation-guide/install-with-helm" >}}) to install the operator, specify the `secretReader` value with the required secrets: - -``` -$ helm install \ - --namespace kiali-operator \ - --create-namespace \ - --set "secretReader={cacerts,istio-ca-secret}" - kiali-operator \ - kiali/kiali-operator -``` - -If you installed the operator via the [OperatorHub]({{< ref "/docs/installation/installation-guide/installing-with-operatorhub" >}}) you need to update the operator privileges as a post-installation step, as follows: - -``` -$ kubectl patch $(kubectl get clusterroles -o name | grep kiali-operator) --type "json" -p '[{"op":"add","path":"/rules/0","value":{"apiGroups":[""],"resources":["secrets"],"verbs":["get"],"resourceNames":["secret-name-to-be-read"]}}]' -``` - -Replace `secret-name-to-be-read` with the secret name you want the operator to read and restart the Kiali operator pod after running the previous command. +![Add-on information](/images/documentation/features/istio-status-mesh-add-on.png "Add-on information") \ No newline at end of file