Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
maistra-2.1.0
-
None
Description
Currently operator does not handle the deletion of the cacerts secret in the control plane namespace, leaving the mutating webhook with an invalid/outdated caBundle.
- Deploy operator and control plane
- Observe that operator correctly set the webhook caBundle to be the one in the pre-installed "istio-ca-secret" in the control plane namespace. Both commands below should have the same output:
oc get mutatingwebhookconfiguration istiod-basic-istio-system -o jsonpath='{.webhooks[0].clientConfig.caBundle}' | base64 -d oc -n istio-system get secrets istio-ca-secret -o jsonpath='{.data.ca-cert\.pem}' | base64 -d
- Create a "cacerts" secret in the control plane namespace:
cd <path/to/istio>/samples/certs oc -n istio-system create secret generic cacerts --from-file=ca-cert.pem --from-file=ca-key.pem --from-file=root-cert.pem --from-file=cert-chain.pem
- Observe that operator correctly sets the webHook caBundle to be the one in present in the cacerts secret. Both commands below should have the same output:
oc get mutatingwebhookconfiguration istiod-basic-istio-system -o jsonpath='{.webhooks[0].clientConfig.caBundle}' | base64 -d oc -n istio-system get secrets cacerts -o jsonpath='{.data.ca-cert\.pem}' | base64 -d
- Now delete this cacerts secret:
oc -n istio-system delete secret cacerts
- Observe that operator does not react to this change
- Observe that webhook still uses the old/invalid caBundle.
It should react and update the webhook caBundle to use the certs present in the default "istio-ca-secret", as it was before the creation of the cacerts secret.