i’m using Istio 1.5.3.
I’m trying to set up secure communication with mesh-external resources for which i need to import own caCertificates to use in the DestinationRule:
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: my-host-name spec: host: my.host.name trafficPolicy: loadBalancer: simple: ROUND_ROBIN portLevelSettings: - port: number: 9443 tls: caCertificates: /etc/istio/egressgateway-ca-certs/CA-CERTS.pem mode: SIMPLE
I understand that the file /etc/istio/egressgateway-ca-certs/CA-CERTS.pem needs to be mounted to the sidecar proxy from which the egress traffic originates. This can be done either with annotations in the deployment spec, or apparently by using a dedicated egress gateway and using the egressgateway-ca-certs secret.
Now, here is the problem: The cluster is scaled down every night, and upon scaling up in the morning the Istio Sidecars of almost all pods fail to start with the following error:
Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 6 rejec ted; lds updates: 5 successful, 0 rejected
This seems to affect those pods that do NOT have that /etc/istio/egressgateway-ca-certs/CA-CERTS.pem file available in their sidecar. Those that do start up just fine, and if i remove the caCertificate line from the destination rule, then all others start up too.
It kinda does make sense - those pods would not be able to perform what is required by that destination rule. However, they would never be required to do it, as the egress traffic won’t happen from them.
Do i really have to mount the caCertificates that are used by the Egress of only one specific Pod to ALL Istio sidecars of all pods in the mesh (even in all namespaces!), even though it is just for egress from one specific pod? Is there some better solution?
Thanks a lot in advance!