New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio sidecar-injector mutatingwebhookconfiguration certifcate does not auto-renew #14517
Comments
Setting to P0 since this exacerbated the recovery from #14516 |
Working on it. Using Kube CA to generate certs for the webhook solves this issue. But it will come out in 1.3. In 1.2, we will change the root cert TTL to 10 years or beyond for now, and we will make a transition support plan and may cherrypick a root cert rotation PR. |
It seems like a small piece of work to add a simple check that uses that same code to refresh the secret if it's due soon? |
@Stono I think you are right. I'll see how to do the check automatically. |
@Stono |
Hey! I think this issue should still be used to capture the work required to not need to restart the injector when the CA bundle is updated though; it should watch the mounted certs and just handle it (like pilot-agent). |
Sorry for the delay. I have just validated that the rotated root certificate will trigger an update on the caBundle for both validating and mutating webhook configurations, without the need to restart galley or the sidecar-injector. |
Bug description
The certificate in the mutatingwebhookconfiguration of the sidecar-injector
caBundle
expired, and did not auto renew.Following on from #14516 - when we were trying to get services back online, pods were unable to start due to the certificate on the injector being invalid.
This compounded an already bad day.
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[x] Docs
[x] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[x] User Experience
Expected behaviour
I expect the sidecar injector to manage it's caBundle appropriately.
Steps to reproduce the bug
set
caBundle
in themutatingwebhookconfiguration
of the sidecar-injector to be out of dateVersion (include the output of
istioctl version --remote
andkubectl version
)All
How was Istio installed?
Helm
The text was updated successfully, but these errors were encountered: