Failed to read cacert from credentialName in Gateway

Aravind · June 3, 2020, 7:23am

Istio Version : 1.5.2
kubernetes version: 1.17.4

we followed the steps mentioned in the url https://archive.istio.io/v1.5/pt-br/docs/tasks/traffic-management/ingress/secure-ingress-sds/ for Configuring a mutual TLS ingress gateway , certificate and secret creation

we created following secert

kubectl create -n istio-system secret generic prometheus-gateway
–from-file=key=prometheus.example.com/3_application/private/prometheus.example.com.key.pem
–from-file=cert=prometheus.example.com/3_application/certs/prometheus.example.com.cert.pem

kubectl create -n istio-system secret generic prometheus-gateway-cacert
–from-file=cacert=prometheus.example.com/2_intermediate/certs/ca-chain.cert.pem

kubectl get secrets -n istio-system | grep -i prometheus-gateway
prometheus-gateway Opaque 2 36m
prometheus-gateway-cacert Opaque 1 35m

ISTIO INGRESS logs for container “ingress-sds”
2020-06-03T06:48:11.354246Z info transport: loopyWriter.run returning. connection error: desc = “transport is closing”
2020-06-03T06:48:11.354460Z info sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-2 resource:prometheus-gateway-cacert connection is terminated: rpc error: code = Canceled desc = context canceled
2020-06-03T06:48:11.354461Z info sds Received empty resource name from “router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local”. No need to respond
2020-06-03T06:48:11.354560Z error sds Remote side closed connection
2020-06-03T06:48:11.354558Z info sds Received empty resource name from “router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local”. No need to respond
2020-06-03T06:48:11.354711Z info sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-1 resource:prometheus-gateway connection is terminated: rpc error: code = Canceled desc = context canceled
2020-06-03T06:48:11.354742Z error sds Remote side closed connection
2020-06-03T06:48:11.963226Z info sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-3 resource:prometheus-gateway new connection
2020-06-03T06:48:11.964213Z info sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-4 resource:prometheus-gateway-cacert new connection
2020-06-03T06:48:11.971390Z info secretfetcher Return secret prometheus-gateway found by direct api call
2020-06-03T06:48:11.971832Z info secretfetcher Fail to extract secret prometheus-gateway-cacert found by direct api call
2020-06-03T06:48:11.971851Z warn secretfetcher Cannot find secret prometheus-gateway-cacert, searching for fallback secret gateway-fallback
2020-06-03T06:48:11.971857Z error secretfetcher cannot find secret prometheus-gateway-cacert and cannot find fallback secret gateway-fallback
2020-06-03T06:48:11.971865Z warn cache node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-4 resource:prometheus-gateway-cacert SecretFetcher cannot find secret prometheus-gateway-cacert from cache
2020-06-03T06:48:11.971872Z warn sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-4 resource:prometheus-gateway-cacert waiting for ingress gateway secret for proxy “router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local”

2020-06-03T06:48:11.979164Z info secretfetcher Return secret prometheus-gateway found by direct api call
2020-06-03T06:48:11.979339Z info sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-3 resource:prometheus-gateway pushed key/cert pair to proxy
2020-06-03T06:48:11.979359Z info sds node:router~192.168.1.80~istio-ingressgateway-7c648db8b-dzb72.istio-system~istio-system.svc.cluster.local-3 resource:prometheus-gateway pushed secret

Shubham · June 3, 2020, 9:22am

Hi

In this ( https://archive.istio.io/v1.5/pt-br/docs/tasks/traffic-management/ingress/secure-ingress-sds/) it is mentioned

The secret name should not begin with istio or prometheus , and the secret should not contain a token field.

May be this is the problem. bcz you have 2 secrets as prometheus-gateway ,prometheus-gateway-cacert starting with name prometheus

Aravind · June 3, 2020, 11:03am

thank you @Shubham … above errors are gone.

Topic		Replies	Views
TLS SDS/credentialName not working with Ingress Gateway Security	9	9107	March 15, 2021
Multicluster v1.6.5 empty cacerts	1	459	August 12, 2020
Istio Operator 1.8.2 error sds resource:file-root:/etc/fed/certs/cacert Close connection. Failed to get secret for proxy	0	384	May 18, 2021
ISTIO_MUTUAL for gateway Security	5	2741	August 7, 2020
Ingress Gateway using Let's Encrypt include intermediate certificate Security	0	552	November 10, 2021

Failed to read cacert from credentialName in Gateway

Related Topics