istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/pilot-load-dns-cert-known-location-deprecate-flags.yaml (about) 1 apiVersion: release-notes/v2 2 3 # This YAML file describes the format for specifying a release notes entry for Istio. 4 # This should be filled in for all user facing changes. 5 6 # kind describes the type of change that this represents. 7 # Valid Values are: 8 # - bug-fix -- Used to specify that this change represents a bug fix. 9 # - security-fix -- Used to specify that this change represents a vulnerability fix. 10 # - feature -- Used to specify a new feature that has been added. 11 # - test -- Used to describe additional testing added. This file is optional for 12 # tests, but included for completeness. 13 kind: feature 14 # area describes the area that this change affects. 15 # Valid values are: 16 # - traffic-management 17 # - security 18 # - telemetry 19 # - installation 20 # - istioctl 21 # - documentation 22 area: security 23 24 # issue is a list of GitHub issues resolved in this note. 25 # If issue is not in the current repo, specify its full URL instead. 26 issue: 27 - 36916 28 29 30 # releaseNotes is a markdown listing of any user facing changes. This will appear in the 31 # release notes. 32 releaseNotes: 33 - | 34 **Improved** Pilot will now load its DNS serving certificate from well known locations: 35 ``` 36 /var/run/secrets/istiod/tls/tls.crt 37 /var/run/secrets/istiod/tls/tls.key 38 /var/run/secrets/istiod/ca/root-cert.pem 39 ``` 40 The CA path will alternatively be loaded from: `/var/run/secrets/tls/ca.crt` 41 It also automatically loads any secret called istiod-tls and the istio-root-ca-configmap into those paths. 42 This method is preferred to use those well known paths than to set the tls args. 43 This will allow for an easier installation process for istio-csr as well as any other external issuer that needs to modify 44 the Pilot DNS serving certificate.