You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug description
I followed the instructions here and installed my root cert, ca-key, ca-cert and cert-chain which is identical to the ca-key into the 'cacerts' secret in the 'Istio-system' namespace. I then used istioctl to install Istio... istiod starts with no errors but the ingress and egress gateways both fail to become ready.
In the ingress/egress controller logs, I see this:
2020-10-01T20:21:47.847540Z info PilotSAN []string{"istiod.istio-system.svc"}
2020-10-01T20:21:47.847557Z info MixerSAN []string{"spiffe://cluster.local/ns/istio-system/sa/istio-mixer-service-account"}
2020-10-01T20:21:47.847597Z info sa.serverOptions.CAEndpoint == istiod.istio-system.svc:15012
2020-10-01T20:21:47.847607Z info Using user-configured CA istiod.istio-system.svc:15012
2020-10-01T20:21:47.847613Z info istiod uses self-issued certificate
2020-10-01T20:21:47.847664Z info the CA cert of istiod is: -----BEGIN CERTIFICATE-----
.
the contents of the ROOT cert, not the CA cert
.
.
-----END CERTIFICATE-----
further down in the logs, I see this:
2020-10-01T20:21:48.342382Z error sds resource:default received error: code:13 message:"Failed to load certificate chain from ". Will not respond until next secret update
2020-10-01T20:21:48.705111Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:21:50.642372Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:22:04.898628Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:22:12.427720Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:22:20.285804Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:22.285230Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:24.285176Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:26.285161Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:28.285068Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:30.285358Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:32.285160Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
and those error continue forever.
[] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
I expected Istio to install cleanly using my CA. it works fine without my custom certs.
Steps to reproduce the bug
see above... install Istio using a custom CA
Version (include the output of istioctl version --remote and kubectl version --short and helm version if you used Helm)
istioctl version --remote
client version: 1.7.3
control plane version: 1.7.3
data plane version: none
kubectl version --short
Client Version: v1.16.6-beta.0
Server Version: v1.17.9-eks-4c6976
How was Istio installed? istioctl install --set profile=demo
Environment where bug was observed (cloud vendor, OS, etc)
AWS EKS
The text was updated successfully, but these errors were encountered:
Bug description
I followed the instructions here and installed my root cert, ca-key, ca-cert and cert-chain which is identical to the ca-key into the 'cacerts' secret in the 'Istio-system' namespace. I then used istioctl to install Istio... istiod starts with no errors but the ingress and egress gateways both fail to become ready.
In the ingress/egress controller logs, I see this:
further down in the logs, I see this:
and those error continue forever.
[] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
I expected Istio to install cleanly using my CA. it works fine without my custom certs.
Steps to reproduce the bug
see above... install Istio using a custom CA
Version (include the output of
istioctl version --remote
andkubectl version --short
andhelm version
if you used Helm)How was Istio installed?
istioctl install --set profile=demo
Environment where bug was observed (cloud vendor, OS, etc)
AWS EKS
The text was updated successfully, but these errors were encountered: