Cert-manager fails to integration with Istio

[Chen-Xintong]

Describe the bug:

I'm using cert-manager as a custom CA to integrate with Istio, and following this guide to create signers: https://istio.io/latest/docs/tasks/security/cert-management/custom-ca-k8s/

The Signers are created but when I install Istio with the signer certificate I can see the CSR is Created and Approved but never Issued and there are no new logs from the Cert Manager.

NAMESPACE   NAME                              AGE   SIGNERNAME                                    REQUESTOR                                   REQUESTEDDURATION   CONDITION
            csr-workload-f9pkb9vxf2b8xdcsqs   0s    clusterissuers.cert-manager.io/istio-system   system:serviceaccount:istio-system:istiod   <none>              Pending
            csr-workload-f9pkb9vxf2b8xdcsqs   0s    clusterissuers.cert-manager.io/istio-system   system:serviceaccount:istio-system:istiod   <none>              Approved
            csr-workload-f9pkb9vxf2b8xdcsqs   65s   clusterissuers.cert-manager.io/istio-system   system:serviceaccount:istio-system:istiod   <none>              Approved
            csr-workload-9t4l6dx2cf4mmmtgc4   0s    clusterissuers.cert-manager.io/istio-system   system:serviceaccount:istio-system:istiod   <none>              Pending
            csr-workload-9t4l6dx2cf4mmmtgc4   0s    clusterissuers.cert-manager.io/istio-system   system:serviceaccount:istio-system:istiod   <none>              Approved
            csr-workload-9t4l6dx2cf4mmmtgc4   65s   clusterissuers.cert-manager.io/istio-system   system:serviceaccount:istio-system:istiod   <none>              Approved

And the Istiod logs:
2023-02-24T07:26:18.112835Z error failed to create discovery service: failed generating key and cert by kubernetes: no certificate returned for the CSR: "csr-workload-f7wzxcxxnwp5wtfscb" Error: failed to create discovery service: failed generating key and cert by kubernetes: no certificate returned for the CSR: "csr-workload-f7wzxcxxnwp5wtfscb"
Environment details::

• Kubernetes version: 1.25
• Cloud-provider/provisioner: single node test cluster
• cert-manager version: v1.7.1
• Install method: static manifests

/kind bug

[irbekrm]

Hi, are you sure that you have set the --feature-gates=ExperimentalCertificateSigningRequestControllers=true flag on cert-manager?
Could you paste in cert-manager controller logs with increased log level (--v=5 flag) including the logs at the controller start, so we can see if the certificate signing request controllers start?
Also could you paste in the Issuer and the Certificate that you are using?

cert-manager version: v1.7.1

It would definitely make sense to also upgrade to the latest version as v1.7.1 is no longer supported https://cert-manager.io/docs/installation/supported-releases/
`

[Chen-Xintong]

Hi, are you sure that you have set the --feature-gates=ExperimentalCertificateSigningRequestControllers=true flag on cert-manager? Could you paste in cert-manager controller logs with increased log level (--v=5 flag) including the logs at the controller start, so we can see if the certificate signing request controllers start? Also could you paste in the Issuer and the Certificate that you are using?

cert-manager version: v1.7.1

It would definitely make sense to also upgrade to the latest version as v1.7.1 is no longer supported https://cert-manager.io/docs/installation/supported-releases/ `

Hi @irbekrm , thank you very much for your reply, I updated the cert manager to 1.11 and added the --feature-gates=ExperimentalCertificateSigningRequestControllers=true flag (not sure if it was enabled on before), now it can work as expected, thank you!

[Chen-Xintong]

We can close this as this issue was resolved :)