Working with ISTIO 1.10.3. I see this issue happening again. Restarted every possible artifact and yet it keeps giving the same error. details here
– Gateway –
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: internal-ingress-gateway
namespace: default
spec:
selector:
istio: internal-ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: internal-gkegatewaysecret
hosts:
- "*"
here is the secret – redacted.
Name: internal-gkegatewaysecret
Namespace: istio-system
Labels: app.kubernetes.io/instance=istio-certs
Annotations: argocd.argoproj.io/sync-wave: -15
cert-manager.io/alt-names:
internal-non-prod.digital-subscription-qa.cvs.com,internal-sit1.digital-subscription-qa.cvs.com,internal-sit2.digital-subscription-qa.cvs.com,internal-argocd-np.digital-subsc...
cert-manager.io/certificate-name: internal-gkegatewaysecret
cert-manager.io/common-name: internal-non-prod.digital-subscription-qa.cvs.com
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: tpp-venafi-issuer
cert-manager.io/uri-sans:
Type: Opaque
Data
====
ca.crt: 1338 bytes
cert: 6677 bytes
key: 1679 bytes
tls.crt: 4444 bytes
tls.key: 1679 bytes
Now this gateway was earlier associated with a different old cert and even after the change the old cert keeps being associated. This is completely screwing up our calls to the services exposed via this as the TLS error comes because host names not matching
e.g as below…
POST https://internal-sit1.digital-subscription-qa.cvs.com/status
Error: Hostname/IP does not match certificate's altnames: Host: internal-sit1.digital-subscription-qa.cvs.com. is not in the cert's altnames: DNS:dev1.digital-subscription-dev.cvs.com
Any help please