New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Behaviour change in .Values.global.trustDomain between 1.5 and 1.6 breaks mTLS during upgrade #27828
Comments
How did you upgrade? I got a similar issue when I tried but it was because the 1.5 pods were pointing to the old 1.5 pilot which I had removed in the 1.6 install, so it didn't get reconfigured for the new services. However, my curl from istio-proxy worked whereas yours did not so probably a different issue then what you see here. |
We have a bespoke deployment of istio deployed via helm. In order to facilitate a microservice to monolith deployment we have an istio-pilot service pointing to istiod so that the 1.5 proxies maintain connectivity. The 1.5 proxy was not reporting any errors. Perhaps it would be easier to screen share and you can interrogate a cluster in a broken state? |
OK so a bit more info, it seems mtls for any 1.5 pods is broken, so included 1.5 -> 1.5 I've attached config dumps for:
I then upgraded the control plane and have provided:
In all of these dumps, the proxy is v1.5, the Some extra information, both services have
On 1.5 we have
And on 1.6 we have
|
vs
is one difference. should be the same behavior though |
this seems likely suspicious |
For what it's worth, if I create a
and set the
Thereby effectively disabling mtls for the service, it works. |
I posted the exact snippet that is wrong and didn't notice.... |
@howardjohn you're a star. There are certainly UX things to think about here. As you know we've been using istio for ages so have had the same In that file for <= 1.5 we had We then used So it feels to me like the default behaviour when that key is an empty string has some how changed between the two releases and in 1.5 it defaulted to cluster.local and in 1.6 its taken literally as nothing. |
Yeah seems like somewhere down the line something changed from "" meaning "use the default" to "override the default to empty". I'll see how that happened |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-10-09. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Bug description
All MTLS connectivity between 1.5 proxies and 1.6 proxies following an upgrade is broken.
Connectivity between 1.6 and 1.6 proxies is fine.
Please note we're also going from microservice to monolith.
All info below is from a testing cluster so don't worry about the certs being shared here.
Certificates from /etc/certs on 1.5 proxy:
Debug request from 1.5 (outbound) proxy:
Boot logs from 1.6 proxy (showing CA):
Debug request logs from 1.6 (inbound) proxy:
Making a request directly using curl and the certs from
istio-proxy
:[x] Docs
[x] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[x] User Experience
[x] Developer Infrastructure
Expected behavior
mtls between 1.5 and 1.6 pods to work
Steps to reproduce the bug
Version (include the output of
istioctl version --remote
andkubectl version --short
andhelm version
if you used Helm)1.5 + 1.6
How was Istio installed?
Helm
Environment where bug was observed (cloud vendor, OS, etc)
The text was updated successfully, but these errors were encountered: