I am bit confused with the behavior of istio1.5 ,when it comes to changing the certificate.
I have installed istio with the following command and then created the sample bookinfo example
istioctl manifest apply --set profile=demo
I debugged the certificate and it has following values
Then I have Plugging in existing CA Certificates and executed the following command
istioctl manifest apply --set values.global.mtls.enabled=true,values.security.selfSigned=true
I was expecting istiod to be redeployed but it’s not instead I see the following error in istiod logs
2020-04-05T16:57:23.696459Z info grpc: Server.Serve failed to complete security handshake from “192.168.251.235:53086”: remote error: tls: unknown certificate authority
kubectl get pods -n istio-system
Once I restart all these component I dont see any exception.I was expecting that as it is using default sds ,it should be reflected automatically.
At the same my certificates are having the same value ,I was expecting it to change at the runtime.But it did not
Then I deleted the pods in bookinfo and see the issuer change.
Issuer: C=US, ST=California, L=Sunnyvale, O=Istio, CN=Istio CA
I would be thankful for any kind of explanation