Istio sidecar injector root cert NBF

deeluk · January 10, 2020, 7:22pm

I just set up a new Istio deployment. I’m seeing failures related to sidecar injection and the associated root certificate. Digging a little deeper, it looks like the root cert that was created during deployment has a not before date in the future (+1 day). I’m looking at both the secret named “istio.istio-sidecar-injector-service-account” and the config of the mutatingwebhook istio-sidecar-injector (the certs are the same). I double checked the system dates of all nodes in my cluster and they’re all correct. What can I do to fix this?

Thanks,

Derek

deeluk · January 10, 2020, 7:43pm

Here is the actual error I see:

Warning FailedCreate 3s (x11 over 8s) replicaset-controller Error creating: Internal error occurred: failed calling webhook “sidecar-injector.istio.io”: Post https://istio-sidecar-injector.istio-system.svc:443/inject?timeout=30s: x509: certificate has expired or is not yet valid

deeluk · January 10, 2020, 7:54pm

Nevermind, dates were not actually in sync across all nodes in the cluster. My bad.

Derek

Topic		Replies	Views
Sidecar injection fails due to missing root certificate (x509: certificate signed by unknown authority) Security	1	2827	August 4, 2021
Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": Post "https://istiod.istio-system.svc:443/inject?timeout=10s": context deadline exceeded Networking	16	16907	November 25, 2023
Expired root certificate Security	6	3676	June 19, 2019
Canary upgrade Istio 1.6.13 to 1.7.8 problem	0	1562	September 1, 2021
Istio Sidecar trusts expired LE Root CA cert in trusted ca-certs (DST Root CA X3) security , release	0	767	November 12, 2021

Istio sidecar injector root cert NBF

Related topics