Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: OSSM 1.1.18
Affects Version/s: None
Component/s: Maistra
Labels:
- cert-manager
- istio

Blocked:
False
Ready:
False
Affects:

Release Notes
Release Note Text:
Undefined
Git Pull Request:
https://github.com/maistra/istio/pull/462
Market:

Sprint:
Sprint 14, OSSM 2.2 - 1, OSSM 2.2 - 2

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Galley pod is not using the correct certificate after its renewal and it is needed to restart the related pod to force it to reload the correct certificate.

The issue is 100% reproducible.

Reproducer:

Install Service Mesh operator.

Deploy Service Mesh Control Plane with version 1.1 and short certificate ttl, for example:

apiVersion: maistra.io/v2
kind: ServiceMeshControlPlane
metadata:
  name: basic
  namespace: istio-system-v1
spec:
  version: v1.1
  techPreview:
    security:
      workloadCertTtl: 15m
  tracing:
    type: Jaeger
    sampling: 10000
  addons:
    jaeger:
      name: jaeger
      install:
        storage:
          type: Memory
    kiali:
      enabled: true
      name: kiali
    grafana:
      enabled: true
---
apiVersion: maistra.io/v1
kind: ServiceMeshMemberRoll
metadata:
 name: default
spec:
 members:
 - bookinfo

Wait for the deployment of the control plane and for passing the certificate ttl.

Try to deploy the bookinfo example in the mesh, at the step for creating the virtual service and gateway an error is reported for certificate expired:

$ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml": Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post "https://istio-galley.istio-system-v1.svc:443/admitpilot?timeout=30s": x509: certificate has expired or is not yet valid: current time 2021-07-16T10:12:48Z is after 2021-07-16T08:33:02Z
Error from server (InternalError): error when creating "https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml": Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post "https://istio-galley.istio-system-v1.svc:443/admitpilot?timeout=30s": x509: certificate has expired or is not yet valid: current time 2021-07-16T10:12:48Z is after 2021-07-16T08:33:02Z

restarting the Galley pod fix the issue.

The expectation is that Galley should reload autonomously the new certificate.

links to

KB solution: Galley is not using the new certificate after rotation in OCP 4

Assignee:: Daniel Grimm

Reporter:: Christian Passarelli

Votes:: 0 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 2021/07/16 11:24 AM

Updated:: 2022/03/25 11:14 AM

Resolved:: 2022/02/15 6:02 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates