Galley throw certificate error


#1

kubectl replace -f /tmp/kubectl-edit-b4zwn.yaml
Error from server (InternalError): error when replacing “/tmp/kubectl-edit-b4zwn.yaml”: Internal error occurred: failed calling admission webhook “pilot.validation.istio.io”: Post https://istio-galley.istio-next.svc:443/admitpilot?timeout=30s: x509: certificate signed by unknown authority

we have three clusters of istio running with the exact same setup. One of our cluster recently throw this error message. I double check the secret that got mounted into the galley pod and it seems to be correct.

I also checked citadel logs and restarted it and the problem still exist

What are the next steps that I can do to fix this issue?


#2

Hi Huy,
I got this error recently, it is due to a missing authorization on Galley ClusterRole. You should update the ClusterRole to the last version to fix it:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: istio-galley-istio-system
  labels:
app: istio-galley
chart: galley-1.0.4
heritage: Tiller
release: istio
rules:
## old  rules
# - apiGroups: ["admissionregistration.k8s.io"]
#   resources: ["validatingwebhookconfigurations"]
#   verbs: ["*"]
# - apiGroups: ["config.istio.io"] # istio mixer CRD watcher
#   resources: ["*"]
#   verbs: ["get", "list", "watch"]
# - apiGroups: ["*"]
#   resources: ["deployments"]
#   resourceNames: ["istio-galley"]
#   verbs: ["get"]
# - apiGroups: ["*"]
#   resources: ["endpoints"]
#   resourceNames: ["istio-galley"]
#   verbs: ["get"]

# new rules
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations"]
  verbs: ["*"]
- apiGroups: ["config.istio.io"] # istio mixer CRD watcher
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["networking.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources: ["*"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["deployments"]
  resourceNames: ["istio-galley"]
  verbs: ["get"]
- apiGroups: ["*"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch"]  
- apiGroups: ["extensions"]
  resources: ["deployments/finalizers"]
  resourceNames: ["istio-galley"]
  verbs: ["update"]