Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-6786

2.6 proxy is not able to start on FIPS enabled cluster

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • OSSM 2.6.0
    • OSSM 2.6.0
    • Customer Impact, Envoy
    • None

      When I create SMCP v2.6 (only with default values) on the FIPS enabled cluster (OCP 4.15/OCP4.16) , istio-egressgateway and istio-ingressgateway pods never get into Running state,
      the proxy log contains:

      2024-07-09T10:05:58.736343Z	info	ads	All caches have been synced up in 21.672246ms, marking server ready
      2024-07-09T10:05:58.736560Z	info	xdsproxy	Initializing with upstream address "istiod-basic.istio-system.svc:15012" and cluster "Kubernetes"
      2024-07-09T10:05:58.737097Z	info	sds	Starting SDS grpc server
      2024-07-09T10:05:58.819941Z	info	xdsproxy	connected to upstream XDS server: istiod-basic.istio-system.svc:15012
      2024-07-09T10:05:58.834596Z	warning	envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138	gRPC config for type.googleapis.com/envoy.config.cluster.v3.Cluster rejected: Error adding/updating cluster(s) outbound|8188||istiod-basic.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305	thread=20
      2024-07-09T10:05:58.837862Z	info	ads	ADS: new connection for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system-1
      2024-07-09T10:05:58.838744Z	info	ads	ADS: new connection for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system-2
      2024-07-09T10:05:58.934572Z	info	cache	generated new workload certificate	latency=198.053257ms ttl=23h59m59.065432237s
      2024-07-09T10:05:58.934603Z	info	cache	Root cert has changed, start rotating root cert
      2024-07-09T10:05:58.934618Z	info	ads	XDS: Incremental Pushing ConnectedEndpoints:2 Version:
      2024-07-09T10:05:58.934684Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.06531696s
      2024-07-09T10:05:58.934697Z	info	cache	returned workload certificate from cache	ttl=23h59m59.065304717s
      2024-07-09T10:05:58.934827Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.065176587s
      2024-07-09T10:05:58.935556Z	info	ads	SDS: PUSH request for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system resources:1 size:4.0kB resource:default
      2024-07-09T10:05:58.937193Z	info	ads	SDS: PUSH request for node:istio-egressgateway-85c67b7db6-rbbmf.istio-system resources:1 size:1.1kB resource:ROOTCA
      2024-07-09T10:05:58.937250Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.062751661s
      2024-07-09T10:05:58.938022Z	warning	envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138	gRPC config for type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret rejected: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305	thread=20
      2024-07-09T10:05:58.938407Z	warn	ads	ADS:SDS: ACK ERROR istio-egressgateway-85c67b7db6-rbbmf.istio-system-2 Internal:Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305
      2024-07-09T10:05:59.532103Z	warning	envoy config external/envoy/source/extensions/config_subscription/grpc/grpc_subscription_impl.cc:138	gRPC config for type.googleapis.com/envoy.config.cluster.v3.Cluster rejected: Error adding/updating cluster(s) outbound|8188||istiod-basic.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|3000||grafana.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|80||istio-egressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|443||istio-egressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|15021||istio-ingressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|80||istio-ingressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, outbound|443||istio-ingressgateway.istio-system.svc.cluster.local: Failed to initialize cipher suites ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:. The following ciphers were rejected when tried individually: ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305	thread=20
      2024-07-09T10:05:59.973171Z	warn	Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 0 successful, 2 rejected; lds updates: 2 successful, 0 rejected
      2024-07-09T10:06:00.366215Z	warn	Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 0 successful, 2 rejected; lds updates: 2 successful, 0 rejected
      2024-07-09T10:06:01.369909Z	warn	Envoy proxy is NOT ready: config received from XDS server, but was rejected: cds updates: 0 successful, 2 rejected; lds updates: 2 successful, 0 rejected
      

      and the last warning keeps repeating itself.

            tpoole@redhat.com Ted Poole
            mkralik@redhat.com Matej Kralik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: