-
Bug
-
Resolution: Done
-
Blocker
-
OSSM 2.6.0
-
None
When I create SMCP v2.6 (only with default values) on the FIPS enabled cluster (OCP 4.15/OCP4.16) , istio-egressgateway and istio-ingressgateway pods never get into Running state,
the proxy log contains:
2024-07-09T10:05:58.736343Z info ads All caches have been synced up in 21.672246ms, marking server ready 2024-07-09T10:05:58.736560Z info xdsproxy Initializing with upstream address "istiod-basic.istio-system.svc:15012" and cluster "Kubernetes" 2024-07-09T10:05:58.737097Z info sds Starting SDS grpc server 2024-07-09T10:05:58.819941Z info xdsproxy connected to upstream XDS server: istiod-basic.istio-system.svc:15012 2024-07-09T10:05:58.834596Z warning envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138 gRPC config for type.googleapis.com/envoy.config.cluster.v3.Cluster rejected: Error adding/updating cluster(s) outbound|8188||istiod-basic.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 thread=20 2024-07-09T10:05:58.837862Z info ads ADS: new connection for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system-1 2024-07-09T10:05:58.838744Z info ads ADS: new connection for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system-2 2024-07-09T10:05:58.934572Z info cache generated new workload certificate latency=198.053257ms ttl=23h59m59.065432237s 2024-07-09T10:05:58.934603Z info cache Root cert has changed, start rotating root cert 2024-07-09T10:05:58.934618Z info ads XDS: Incremental Pushing ConnectedEndpoints:2 Version: 2024-07-09T10:05:58.934684Z info cache returned workload trust anchor from cache ttl=23h59m59.06531696s 2024-07-09T10:05:58.934697Z info cache returned workload certificate from cache ttl=23h59m59.065304717s 2024-07-09T10:05:58.934827Z info cache returned workload trust anchor from cache ttl=23h59m59.065176587s 2024-07-09T10:05:58.935556Z info ads SDS: PUSH request for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system resources:1 size:4.0kB resource:default 2024-07-09T10:05:58.937193Z info ads SDS: PUSH request for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system resources:1 size:1.1kB resource:ROOTCA 2024-07-09T10:05:58.937250Z info cache returned workload trust anchor from cache ttl=23h59m59.062751661s 2024-07-09T10:05:58.938022Z warning envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138 gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret rejected: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 thread=20 2024-07-09T10:05:58.938407Z warn ads ADS:SDS: ACK ERROR istio-egressgateway-85c67b7db6-rbbmf.istio-system-2 Internal:Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 2024-07-09T10:05:59.532103Z warning envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138 gRPC config for type.googleapis.com/envoy.config.cluster.v3.Cluster rejected: Error adding/updating cluster(s) outbound|8188||istiod-basic.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|3000||grafana.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|80||istio-egressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|443||istio-egressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|80||istio-ingressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|443||istio-ingressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305 thread=20 2024-07-09T10:05:59.973171Z warn Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 0 successful, 2 rejected; lds updates: 2 successful, 0 rejected 2024-07-09T10:06:00.366215Z warn Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 0 successful, 2 rejected; lds updates: 2 successful, 0 rejected 2024-07-09T10:06:01.369909Z warn Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 0 successful, 2 rejected; lds updates: 2 successful, 0 rejected
and the last warning keeps repeating itself.