New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reapplying istio-demo.yml causes cert errors in injector #6069
Comments
This is more like a kubernetes issue, how did you change your YAML template? A diff would be helpful between |
It happens without any change. Steps to reproduce:
Then deploy in a namespace with
no pods get scheduled. |
/cc @ayj |
The MutatingWebhookConfiguration in istio.yaml includes an empty
|
just for clarity, this issue isn't unique to the demo example. We're seeing the same issue on 0.8 using the helm template install. Restarting the injector pod does resolve the problem for me. |
I just hit this as well on the 0.8 release. Oddly though it took a couple injector pod restarts to patch the ca and there wasn't anything telling in the injector pod logs about it failing to patch. If it happens again I'll collect more info. |
Hi, I believe I just experienced this with 1.3.1. I generated manifests using the Helm charts and installed Istio-init, Istio-Cni, and Istio in my cluster. After everything has been applied, the
after I restart the sidecar injector pod I can see that the As a bit of context, I install Istio-init, Istio-Cni, and Istio manifests using Anthos Config Management so I don't have any control of the order in which they are applied. Could this be a chicken/egg problem? |
The oneliner
kubectl apply -f istio-demo.yml
is useful, but when I make a modification and reapply it, the sidecar injector stops working and throws a lot ofremote error: tls: bad certificate
errors.I think yamls should be idempotent.
Any idea how to solve this?
The text was updated successfully, but these errors were encountered: