Issue with Istio 1.3.2 SDS not reloading tls cert and key

wbeckwith · October 18, 2019, 7:49am

I can create a cert-manager 0.10 Certificate with DNS resolvers and I can see that the secret is ultimately created with the tls.key and tls.crt entries. If I export the secret and base64 decode it, I can see that it was issued by Let’s Encrypt Staging/Prod. However, cert-manager generates a temporary cert while the real cert is being fetched and SDS loads this cert. I can execute a

echo | openssl s_client -showcerts -servername foo.example.com -connect foo.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

and see the cert returned from the istio-ingressgateway is cert-manager’s temporary cert, even though cert-manager has created/updated the secret which is in the same namespace as the istio-ingressgateway.

A workaround is to kill the istio-ingressgateway and then the SDS agent in the pod will pick up the correct credentials.

Any idea’s as to why this is or how I can debug what’s going on?

JimmyChen · December 3, 2019, 10:31pm

There was an issue with Ingress SDS and the fix is in 1.3.5.
If the ingress-sds container has log like this 2019-09-26T12:41:12.701283Z warn secretFetcherLog unexpected server key/cert change in secret application-connector-certs, then you hit the same issue. You can upgrade to 1.3.5 in that case.
More context is here https://github.com/istio/istio/issues/17409.

Topic		Replies	Views
Istio Gateway with CertManager and Let's Encrypt	9	1825	July 13, 2019
Renew certificates Security	5	3023	August 10, 2020
TLS SDS/credentialName not working with Ingress Gateway Security	9	9546	March 15, 2021
Istio + SDS + cert-manager (Let's Encrypt) Networking	3	3291	June 27, 2019
Using Gateway + VirtualService + http01 + SDS Security	10	6586	April 30, 2021

Issue with Istio 1.3.2 SDS not reloading tls cert and key

Related topics