Custom CA requires trailing newline to function? #24609
Labels
area/security
feature/Multi-cluster
issues related with multi-cluster support
kind/docs
kind/enhancement
Projects
Bug description
While upgrading some clusters with a pre-seeded CA from 1.5.4 to 1.6.1, I've noticed that certificates stored in
cacerts
is rather particular about their formatting. Specifically if the secret key values do not contain an encoded trailing slash.Prior to installing istio, I created a
cacerts
secret with fresh copies of my CA by using:Upon startup,
istiod
correctly detected the existing CA and began its usual certificate signing:However,
ingresscontroller
never seems to stabilize properly:After uninstalling istio and deleting the namespace, I tried installing the certificates from my 1.5.4 clusters directly (rather than the newly acquired copies I had previously used). This worked.
istiod
andingressgateway
both went stable and healthy as expected.Comparing the difference between the two certificate file pairs, the only difference was a trailing newline at the end of each certificate (after the
-----END CERTIFICATE-----
or-----END RSA PRIVATE KEY-----
). After doing aecho "" >> ca-cert.pem
to the newer copies and retrying once more, everything went stable.Additionally, documentation previously stated that the following was needed in order to properly detect a non-self signed CA:
This value has been removed in the 1.6 release with no deprecation notice and the documentation does not seem to reference needing it any longer. While this is fine, it took a few minutes to realize that the default behavior does proper detection without requiring a helm option to configure this.
[X] Docs
[X] Security
Expected behavior
What is documented here: https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
Steps to reproduce the bug
See above description
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)How was Istio installed?
Via
istioctl manifest apply --set tag=1.6.1
using an updated version of this IstioOperatorSpec.Environment where bug was observed (cloud vendor, OS, etc)
GKE 1.16
The text was updated successfully, but these errors were encountered: