Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Custom CA Cert, ingress and egress gateways pick up the root cert, not the CA cert. #27680

Closed
st33v opened this issue Oct 1, 2020 · 1 comment
Closed

Using Custom CA Cert, ingress and egress gateways pick up the root cert, not the CA cert. #27680

st33v opened this issue Oct 1, 2020 · 1 comment

Comments

@st33v
Copy link

st33v commented Oct 1, 2020
edited

Bug description
I followed the instructions here and installed my root cert, ca-key, ca-cert and cert-chain which is identical to the ca-key into the 'cacerts' secret in the 'Istio-system' namespace. I then used istioctl to install Istio... istiod starts with no errors but the ingress and egress gateways both fail to become ready.

In the ingress/egress controller logs, I see this:

2020-10-01T20:21:47.847540Z info PilotSAN []string{"istiod.istio-system.svc"}
2020-10-01T20:21:47.847557Z info MixerSAN []string{"spiffe://cluster.local/ns/istio-system/sa/istio-mixer-service-account"}
2020-10-01T20:21:47.847597Z info sa.serverOptions.CAEndpoint == istiod.istio-system.svc:15012
2020-10-01T20:21:47.847607Z info Using user-configured CA istiod.istio-system.svc:15012
2020-10-01T20:21:47.847613Z info istiod uses self-issued certificate
2020-10-01T20:21:47.847664Z info the CA cert of istiod is: -----BEGIN CERTIFICATE-----
.
the contents of the ROOT cert, not the CA cert
.
.
-----END CERTIFICATE-----

further down in the logs, I see this:

2020-10-01T20:21:48.342382Z error sds resource:default received error: code:13 message:"Failed to load certificate chain from ". Will not respond until next secret update
2020-10-01T20:21:48.705111Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:21:50.642372Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:22:04.898628Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:22:12.427720Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
2020-10-01T20:22:20.285804Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:22.285230Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:24.285176Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:26.285161Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:28.285068Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:30.285358Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
2020-10-01T20:22:32.285160Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

and those error continue forever.

[] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Expected behavior
I expected Istio to install cleanly using my CA. it works fine without my custom certs.

Steps to reproduce the bug
see above... install Istio using a custom CA

Version (include the output of istioctl version --remote and kubectl version --short and helm version if you used Helm)

istioctl version --remote
client version: 1.7.3
control plane version: 1.7.3
data plane version: none

kubectl version --short
Client Version: v1.16.6-beta.0
Server Version: v1.17.9-eks-4c6976

How was Istio installed?
istioctl install --set profile=demo

Environment where bug was observed (cloud vendor, OS, etc)
AWS EKS
@st33v
Copy link
Author

st33v commented Oct 3, 2020

duplicate of #24609 I resolved this by adding newlines to my ca certs and keys. Please fix #24609.

@st33v st33v closed this as completed Oct 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@st33v