Update documentation for cronjob removal and Istio CA certificate plugin.

deveshdama · deveshdama · commit a0e332adc4ab · 2025-01-10T20:08:46.000Z
diff --git a/support/azure/azure-kubernetes/extensions/istio-add-on-plug-in-ca-certificate.md b/support/azure/azure-kubernetes/extensions/istio-add-on-plug-in-ca-certificate.md
@@ -42,7 +42,7 @@ This article discusses common troubleshooting issues with the Istio add-on plug-
 
 - For the cluster to auto-detect changes in the Azure Key Vault secrets, you have to enable [auto-rotation](/azure/aks/csi-secrets-store-configuration-options#enable-and-disable-auto-rotation) for the Azure Key Vault secrets provider add-on.
 
-- Although changes to the intermediate certificate are applied automatically, changes to the root certificate are only picked up by the control plane after the `istiod` deployment is restarted by a cronjob that the add-on deploys, as explained in the [Deployed resources](#deployed-resources) section. This cronjob runs at a 10-minute interval.
+- Changes to the root and intermediate certificates are applied automatically.
 
 ## Enable the Istio add-on to use a plug-in CA certificate
 
@@ -118,35 +118,6 @@ As part of the add-on deployment for the plug-in certificates feature, the follo
   -----END CERTIFICATE-----
   ```
 
-- The `istio-cert-validator-cronjob-asm-1-21` [cronjob object](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) is created in the `aks-istio-system` namespace. This cronjob is scheduled to run every 10 minutes to check for updates on the root certificate. If the root certificate that's in the `cacerts` Kubernetes secret doesn't match the `istio-ca-root-cert` configmap in the `aks-istio-system` namespace, it restarts the `istiod-asm-1-21` deployment:
-
-  ```bash
-  kubectl get cronjob --namespace aks-istio-system
-  ```
-
-  ```output
-  NAME                                    SCHEDULE       SUSPEND   ACTIVE
-  istio-cert-validator-cronjob-asm-1-21   */10 * * * *   False     0     
-  ```
-
-  You can run the following command to check the cronjob logs for the last run:
-
-  ```bash
-  kubectl logs --namespace aks-istio-system $(kubectl get pods --namespace aks-istio-system | grep 'istio-cert-validator-cronjob-' | sort -k8 | tail -n 1 | awk '{print $1}')
-  ```
-
-  This command generates one of the following output messages, depending on whether a root certificate update was detected:
-
-  ```output
-  Root certificate update not detected.
-  ```
-
-  ```output
-  Root certificate update detected. Restarting deployment...
-  deployment.apps/istiod-asm-1-21 restarted
-  Deployment istiod-asm-1-21 restarted.
-  ```
-
 ## Determine certificate type in deployment logs
 
 You can view the `istiod` deployment logs to determine whether you have a self-signed CA certificate or a plug-in CA certificate. To view the logs, run the following command:
