Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-7850

Support custom cluster-id Configuration in IstioCSR CR in RHOCP 4

XMLWordPrintable

    • None
    • Product / Portfolio Work
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      1. Proposed title of this feature requestS

      --> Support Custom cluster-id Configuration in IstioCSR Custom Resource (CR)

      Suggested Enhancement :

      Add support for a new field in the IstioCSR CR spec (e.g., spec.clusterID) that allows administrators to explicitly set the cluster-id. This value should then be passed to the underlying cert-manager-istio-csr pod via environment variable or command-line argument, depending on implementation.

      2. What is the nature and description of the request? 

      – > The customer requests the ability to customize the cluster-id field in the IstioCSR Custom Resource (CR) in OpenShift Service Mesh, particularly when using the cert-manager-istio-csr integration, which is currently in Technology Preview.

      The current implementation does not allow users to configure cluster-id within the IstioCSR CR. In multi-mesh or multi-cluster environments, the default behavior leads to instability when the cluster-id is not explicitly set. Specifically, the cert-manager-istio-csr pod fails to start due to an internal nil pointer dereference.

      To mitigate this issue during testing, the customer manually updated the Deployment resource to inject the correct cluster-id (matching the cluster name). After doing so, the pod started successfully, confirming that a configurable cluster-id resolves the crash.

      This behavior has also been observed in the upstream community version of istio-csr, with an open issue documenting the problem and resolution: https://github.com/cert-manager/istio-csr/issues/413

      3. Why does the customer need this? (List the business requirements here) 

      --> In multi-mesh or multi-cluster Istio Service Mesh environments, the ability to set a unique cluster-id is critical for ensuring proper certificate issuance, identity resolution, and inter-cluster communication.

      Without the ability to configure this property in the IstioCSR CR, the cert-manager-istio-csr pod crashes during startup with the following error:

      ~~~
      $ oc get pods | awk 'NR==1 || /csr/'
      NAME READY STATUS RESTARTS AGE
      cert-manager-istio-csr-858f7c765d-qp5n4 0/1 CrashLoopBackOff 254 (2m19s ago) 21h

      #######################################
      panic: runtime error: invalid memory address or nil pointer dereference
      [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x43516c9]

      goroutine 63 [running]:
      #######################################
      ~~~

      This not only blocks the cluster from achieving a functional service mesh setup but also leads to unnecessary downtime and troubleshooting overhead.

      The customer has verified that injecting a valid cluster-id (via Deployment modification) allows the pod to start successfully, both in the Red Hat and upstream implementations. However, manually modifying deployments is not a sustainable or supported solution.

       4. List any affected packages or components.

      • cert-manager-istio-csr
      • IstioCSR Custom Resource
      • Service Mesh
      • Targeting GA in OpenShift 4.20 (currently in Tech Preview)

       

              rh-ee-npng Nick Png
              rhn-support-sdharma Suruchi Dharma
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                None
                None