-
Ticket
-
Resolution: Not a Bug
-
Major
-
None
-
OSSM 2.6.1
-
None
-
False
-
-
False
-
-
After creating a DestinationRule that loads a Secret into the egress-gateway pod, where the secret holds an expired CA certificate, the CA certificate is still considered valid:
❯ istioctl pc secret -n istio-system istio-egressgateway-8bbfb6558-7ccqn RESOURCE NAME TYPE STATUS VALID CERT SERIAL NUMBER NOT AFTER NOT BEFORE default Cert Chain ACTIVE true d6e1a6943af040b7441525076d13d597 2024-10-05T07:02:14Z 2024-10-04T07:00:14Z kubernetes://newcert-valid Cert Chain ACTIVE true 596aa90351b374d48f6269bcb0b23c24ea737af9 2025-10-02T09:49:29Z 2024-10-02T09:49:29Z ROOTCA CA ACTIVE true 8b9ad93ce9f30d476bd15e04cfeb008f 2034-09-15T10:04:46Z 2024-09-17T10:04:46Z kubernetes://newcert-valid-cacert CA ACTIVE true 1002 2024-10-03T09:29:25Z 2024-10-02T09:29:25Z
I was expecting that after restarting the istio-egressgateway the certificate validity would be checked, but that didn't happen, and the certificate was still being marked as valid.
Then I restarted istiod hoping that it would check the validity of the CA certificate, but that didn't happen either.
Istiod detects that the certificate is expired:
2024-10-04T11:18:57.339650Z warn ads invalid certificates: "kubernetes://newcert-valid-cacert": certificate is expired or not yet valid
But the istioctl tool still shows that the CA certificate is valid, and moreover, it sends the invalid certificate to envoy.
I've set the istio-egressgateway envoy log to trace, and captured it when the DestinationRule was created (timestamp from 11:32:15). Attaching the envoy log from the egressgateway pod
How can we make sure that expired certificates are not being correctly checked and marked as not valid?
- account is impacted by
-
OSSM-8283 [RFE] Add feature flag to prevent sending expired CA to proxies
-
- Closed
-