New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nondeterministic behaviour of istio-ingressgateway with mTLS #29214
Comments
Can you post the Gateway configs? |
@howardjohn Of course, adding them to the first post. I am linking to the configuration before a workaround (separate secret + job copying the tls cert and key). Those are the gateways we were using until istio 1.7. As you can see, they are both configured to use the same secret, one is tls and the other mtls. |
I think this is the same as #13589, can you check if that is consistent with this issue? Does it work with |
This happened in 1.8, you are seeing this after upgrading from 1.6 to 1.7 right? |
@howardjohn I will check #13589, thanks for the tip. Edit: |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-11-30. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
Bug description
In our system we are using istio-ingressgateway to expose a certain amount of services using a simple TLS gateway (
tls-gateway
) and a single mTLS service using a dedicated mTLS gateway (mtls-gateway
).Both gateways use the same TLS certificate having the same
credentialName: tls-gateway-certs
field in the configuration. The secret is managed by cert-manager, so it created with ca.crt, tls.crt, tls.key fields.Additionally, we have a custom secret
tls-gateway-certs-cacert
, which holds a custom cacert, which we want to use for our mtls-gateway.After upgrading istio to 1.7.4 we noticed a nondeterministic behavior related to scaling the istio-ingressgateway. Calling our mtls application would sometimes fail with an
error:1401E418:SSL routines:CONNECT_CR_FINISHED:tlsv1 alert unknown ca
error.After some debugging we found out that some pods/instances of istio-ingressgateway were serving the CA from
tls-gateway-certs
secret (which was wrong) and some fromtls-gateway-certs-cacert
(which was correct)This behavior was not present in previous versions of Istio (1.5 and previous)
[ ] Docs
[ ] Installation
[ ] Networking
[ X ] Performance and Scalability
[ ] Extensions and Telemetry
[ X ] Security
[ ] Test and Release
[ X ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade
Expected behavior
Istio-ingressgateway uses a single secret in a deterministic manner or uses the dedicated secret with higher priority than the combined one.
Steps to reproduce the bug
Version (include the output of
istioctl version --remote
andkubectl version --short
andhelm version
if you used Helm)1.7.4
How was Istio installed?
istioctl install with custom profile
Environment where bug was observed (cloud vendor, OS, etc)
Cluster created with Gardener on GCE
Additionally, please consider running
istioctl bug-report
and attach the generatedcluster-state tarball to this issue.
Refer cluster state archive
for more details.
The text was updated successfully, but these errors were encountered: