Issue with Istio 1.3.2 SDS not reloading tls cert and key

I can create a cert-manager 0.10 Certificate with DNS resolvers and I can see that the secret is ultimately created with the tls.key and tls.crt entries. If I export the secret and base64 decode it, I can see that it was issued by Let’s Encrypt Staging/Prod. However, cert-manager generates a temporary cert while the real cert is being fetched and SDS loads this cert. I can execute a

echo | openssl s_client -showcerts -servername foo.example.com -connect foo.example.com:443 2>/dev/null | openssl x509 -inform pem -noout -text

and see the cert returned from the istio-ingressgateway is cert-manager’s temporary cert, even though cert-manager has created/updated the secret which is in the same namespace as the istio-ingressgateway.

A workaround is to kill the istio-ingressgateway and then the SDS agent in the pod will pick up the correct credentials.

Any idea’s as to why this is or how I can debug what’s going on?

1 Like