-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pod communication is broken when specify multiple root cert in mesh config #31987
Comments
@shankgan suppose we should support define multiple Below is some log snippet from the httpbin pod:
|
After the fix for duplicate certificates in #32032 it fails with below error:
This seems be caused by the multi root we set in @shankgan what is the expected usage method for multi root? any specific requirements for the root certs we defined in mesh config? Thanks. |
@myidpt @howardjohn @hzxuzhonghu ^^^ in case you have some thoughts for this, thanks. |
I wish we should provide an integration test for this feature |
@hzxuzhonghu - already did add an integration test. However, that adds only one additional root. (ca_custom_root). It appears in this case there is some padding mismatch in what x509 libarary supports vs what envoy supports. Will add this as an additional test. |
@shankgan this is the ROOTCA I decode from the pod:
|
I tested a very similar config (derived from your config) and it worked for me. Note that the latest builds require you to explicitly enable the feature using flags in IstioOperator
Following the code given in this example, I created pods in two different namespaces and ensured communication between them works
|
@shankgan Have you pluggin cert before you install istio? ( https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/). Then using above cert in mesh config, You will get pod communication broken issue. If you use self-signed ca certs for isito, it works fine. |
Tried with plugin CA certs. Pod - Pod communication appears to work just fine. The CA certs below contain the plugin CA cert. @irisdingbj - I wonder if there is some misconfiguration of your meshConfig. Perhaps an indent that is incorrect or a LACK of a newline char?
|
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2021-04-16. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
plugin an ca cert like https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
Using below IOP file to install Istio:
deploy httpbin and sleep into the same namespace
ns1
with auto side car injecitonsleep fails to call httpbin with below error:
The text was updated successfully, but these errors were encountered: