Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-542

Galley is not using the new certificate after rotation

XMLWordPrintable

    • Sprint 14, OSSM 2.2 - 1, OSSM 2.2 - 2

      Galley pod is not using the correct certificate after its renewal and it is needed to restart the related pod to force it to reload the correct certificate.

      The issue is 100% reproducible.

      Reproducer:

      • Install Service Mesh operator.
      • Deploy Service Mesh Control Plane with version 1.1 and short certificate ttl, for example:
      apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system-v1
spec:
  version: v1.1
  techPreview:
    security:
      workloadCertTtl: 15m
  tracing:
    type: Jaeger
    sampling: 10000
  addons:
    jaeger:
      name: jaeger
      install:
        storage:
          type: Memory
    kiali:
      enabled: true
      name: kiali
    grafana:
      enabled: true
---
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
 name: default
spec:
 members:
 - bookinfo
      • Wait for the deployment of the control plane and for passing the certificate ttl.
      • Try to deploy the bookinfo example in the mesh, at the step for creating the virtual service and gateway an error is reported for certificate expired:
      $ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml": Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post "https://istio-galley.istio-system-v1.svc:443/admitpilot?timeout=30s": x509: certificate has expired or is not yet valid: current time 2021-07-16T10:12:48Z is after 2021-07-16T08:33:02Z
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml": Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post "https://istio-galley.istio-system-v1.svc:443/admitpilot?timeout=30s": x509: certificate has expired or is not yet valid: current time 2021-07-16T10:12:48Z is after 2021-07-16T08:33:02Z
      • restarting the Galley pod fix the issue.

      The expectation is that Galley should reload autonomously the new certificate.

              dgrimm@redhat.com Daniel Grimm
              rhn-support-cpassare Christian Passarelli
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: