we are currently running Istio v1.0.4 on our kubernetes cluster and recently had issue whenever we tried to deploy new charts via helm:
Error: release aged-bumblebee failed: Internal error occurred: failed calling admission webhook “pilot.validation.istio.io”: Post …/admitpilot?timeout=30s: x509: certificate has expired or is not yet valid
I assume(!) it was because the certificate generated by citadel expired since the istio-ca-secret was older than > 1y:
NAME TYPE DATA AGE
istio-ca-secret istio.io/ca-root 2 1y
In order to solve the problem I removed istio and redeployed the chart (yeah - I was desperate ). But the error still occured. I finally ended up with removing the istio-ca-secret (which obviously doesn’t get removed when removing the chart) causing Citadel to recreate the istio-ca-secret.
Now my questions are:
- Are my assumptions correct?
- If yes, shouldn’t be there something like an automatic certificate renewal process offered by istio?
Thanks in advance.