Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-542

Galley is not using the new certificate after rotation

XMLWordPrintable

    • Sprint 14, OSSM 2.2 - 1, OSSM 2.2 - 2

      Galley pod is not using the correct certificate after its renewal and it is needed to restart the related pod to force it to reload the correct certificate.

      The issue is 100% reproducible.

      Reproducer:

      • Install Service Mesh operator.
      • Deploy Service Mesh Control Plane with version 1.1 and short certificate ttl, for example:
      apiVersion: maistra.io/v2
      kind: ServiceMeshControlPlane
      metadata:
        name: basic
        namespace: istio-system-v1
      spec:
        version: v1.1
        techPreview:
          security:
            workloadCertTtl: 15m
        tracing:
          type: Jaeger
          sampling: 10000
        addons:
          jaeger:
            name: jaeger
            install:
              storage:
                type: Memory
          kiali:
            enabled: true
            name: kiali
          grafana:
            enabled: true
      ---
      apiVersion: maistra.io/v1
      kind: ServiceMeshMemberRoll
      metadata:
       name: default
      spec:
       members:
       - bookinfo
       
      • Wait for the deployment of the control plane and for passing the certificate ttl.
      • Try to deploy the bookinfo example in the mesh, at the step for creating the virtual service and gateway an error is reported for certificate expired:
      $ oc apply -n bookinfo -f https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml
      Error from server (InternalError): error when creating "https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml": Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post "https://istio-galley.istio-system-v1.svc:443/admitpilot?timeout=30s": x509: certificate has expired or is not yet valid: current time 2021-07-16T10:12:48Z is after 2021-07-16T08:33:02Z
      Error from server (InternalError): error when creating "https://raw.githubusercontent.com/Maistra/istio/maistra-2.0/samples/bookinfo/networking/bookinfo-gateway.yaml": Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post "https://istio-galley.istio-system-v1.svc:443/admitpilot?timeout=30s": x509: certificate has expired or is not yet valid: current time 2021-07-16T10:12:48Z is after 2021-07-16T08:33:02Z
      
      • restarting the Galley pod fix the issue.

      The expectation is that Galley should reload autonomously the new certificate.

            dgrimm@redhat.com Daniel Grimm
            rhn-support-cpassare Christian Passarelli
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: