Istio ingress gateway failed to start

1

Hi,

I am installing istio into EKS (Version 1.25) using istioctl.
Istio ingress gateway is not able to generate certificate to workloads.

Istioctl version: 1.17.2

Following is the command used to install istio

istioctl install --set profile=default --set values.gateways.istio-ingressgateway.type=NodePort --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY --set meshConfig.accessLogFile=/dev/stdout -y

The result is as follows:

NAME                                        READY   STATUS    RESTARTS   AGE
pod/istio-ingressgateway-6974766b9c-hsvwx   0/1     Running   0          24s
pod/istiod-5987b4bb4f-q8jmg                 1/1     Running   0          31s

NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                      AGE
service/istio-ingressgateway   NodePort    10.100.74.167    <none>        15021:31023/TCP,80:30393/TCP,443:30612/TCP   23s
service/istiod                 ClusterIP   10.100.174.121   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP        31s

While debugging into pod/istio-ingressgateway-6974766b9c-hsvwx i found following logs

k logs pod/istio-ingressgateway-6974766b9c-hsvwx -n istio-system                                                                ─╯
2023-04-13T00:55:55.756197Z	info	FLAG: --concurrency="0"
2023-04-13T00:55:55.756227Z	info	FLAG: --domain="istio-system.svc.cluster.local"
2023-04-13T00:55:55.756235Z	info	FLAG: --help="false"
2023-04-13T00:55:55.756242Z	info	FLAG: --log_as_json="false"
2023-04-13T00:55:55.756247Z	info	FLAG: --log_caller=""
2023-04-13T00:55:55.756251Z	info	FLAG: --log_output_level="default:info"
2023-04-13T00:55:55.756255Z	info	FLAG: --log_rotate=""
2023-04-13T00:55:55.756260Z	info	FLAG: --log_rotate_max_age="30"
2023-04-13T00:55:55.756264Z	info	FLAG: --log_rotate_max_backups="1000"
2023-04-13T00:55:55.756269Z	info	FLAG: --log_rotate_max_size="104857600"
2023-04-13T00:55:55.756273Z	info	FLAG: --log_stacktrace_level="default:none"
2023-04-13T00:55:55.756283Z	info	FLAG: --log_target="[stdout]"
2023-04-13T00:55:55.756288Z	info	FLAG: --meshConfig="./etc/istio/config/mesh"
2023-04-13T00:55:55.756292Z	info	FLAG: --outlierLogPath=""
2023-04-13T00:55:55.756296Z	info	FLAG: --proxyComponentLogLevel="misc:error"
2023-04-13T00:55:55.756301Z	info	FLAG: --proxyLogLevel="warning"
2023-04-13T00:55:55.756306Z	info	FLAG: --serviceCluster="istio-proxy"
2023-04-13T00:55:55.756310Z	info	FLAG: --stsPort="0"
2023-04-13T00:55:55.756314Z	info	FLAG: --templateFile=""
2023-04-13T00:55:55.756319Z	info	FLAG: --tokenManagerPlugin="GoogleTokenExchange"
2023-04-13T00:55:55.756329Z	info	FLAG: --vklog="0"
2023-04-13T00:55:55.756339Z	info	Version 1.17.2-3e857775086a061d12ee445f32a0b35ea17c8488-Clean
2023-04-13T00:55:55.758269Z	info	Maximum file descriptors (ulimit -n): 1048576
2023-04-13T00:55:55.758420Z	info	Proxy role	ips=[172.10.2.107] type=router id=istio-ingressgateway-6974766b9c-hsvwx.istio-system domain=istio-system.svc.cluster.local
2023-04-13T00:55:55.758492Z	info	Apply mesh config from file accessLogFile: /dev/stdout
defaultConfig:
  discoveryAddress: istiod.istio-system.svc:15012
  proxyMetadata: {}
  tracing:
    zipkin:
      address: zipkin.istio-system:9411
enablePrometheusMerge: true
outboundTrafficPolicy:
  mode: ALLOW_ANY
rootNamespace: istio-system
trustDomain: cluster.local
2023-04-13T00:55:55.760713Z	info	Effective config: binaryPath: /usr/local/bin/envoy
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
proxyAdminPort: 15000
serviceCluster: istio-proxy
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s
tracing:
  zipkin:
    address: zipkin.istio-system:9411

2023-04-13T00:55:55.760726Z	info	JWT policy is third-party-jwt
2023-04-13T00:55:55.760731Z	info	using credential fetcher of JWT type in cluster.local trust domain
2023-04-13T00:55:55.762825Z	info	Opening status port 15020
2023-04-13T00:55:55.763109Z	info	Workload SDS socket not found. Starting Istio SDS Server
2023-04-13T00:55:55.763143Z	info	CA Endpoint istiod.istio-system.svc:15012, provider Citadel
2023-04-13T00:55:55.763164Z	info	Using CA istiod.istio-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem
2023-04-13T00:55:55.780133Z	info	ads	All caches have been synced up in 27.014779ms, marking server ready
2023-04-13T00:55:55.780420Z	info	xdsproxy	Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "Kubernetes"
2023-04-13T00:55:55.782139Z	info	Pilot SAN: [istiod.istio-system.svc]
2023-04-13T00:55:55.783423Z	info	Starting proxy agent
2023-04-13T00:55:55.783462Z	info	starting
2023-04-13T00:55:55.783497Z	info	Envoy command: [-c etc/istio/proxy/envoy-rev.json --drain-time-s 45 --drain-strategy immediate --local-address-ip-version v4 --file-flush-interval-msec 1000 --disable-hot-restart --allow-unknown-static-fields --log-format %Y-%m-%dT%T.%fZ	%l	envoy %n %g:%#	%v	thread=%t -l warning --component-log-level misc:error]
2023-04-13T00:55:55.783974Z	info	sds	Starting SDS grpc server
2023-04-13T00:55:55.784154Z	info	starting Http service at 127.0.0.1:15004
2023-04-13T00:56:15.764686Z	warn	ca	ca request failed, starting attempt 1 in 104.527715ms
2023-04-13T00:56:15.870171Z	warn	ca	ca request failed, starting attempt 2 in 200.732771ms
2023-04-13T00:56:16.071800Z	warn	ca	ca request failed, starting attempt 3 in 394.005637ms
2023-04-13T00:56:16.466527Z	warn	ca	ca request failed, starting attempt 4 in 856.880464ms

I can verify that istioctl version 1.13.3 was working good in EKS (version 1.21)

Can you please help me.

Thanks,