I can create a cert-manager 0.10 Certificate with DNS resolvers and I can see that the secret is ultimately created with the tls.key and tls.crt entries. If I export the secret and base64 decode it, I can see that it was issued by Let’s Encrypt Staging/Prod. However, cert-manager generates a temporary cert while the real cert is being fetched and SDS loads this cert. I can execute a
and see the cert returned from the istio-ingressgateway is cert-manager’s temporary cert, even though cert-manager has created/updated the secret which is in the same namespace as the istio-ingressgateway.
A workaround is to kill the istio-ingressgateway and then the SDS agent in the pod will pick up the correct credentials.
Any idea’s as to why this is or how I can debug what’s going on?