Hi All,
I am bit confused with the behavior of istio1.5 ,when it comes to changing the certificate.
I have installed istio with the following command and then created the sample bookinfo example
istioctl manifest apply --set profile=demo
I debugged the certificate and it has following values
Issuer: O=cluster.local
URI:spiffe://cluster.local/ns/bookinfo/sa/bookinfo-details
Then I have Plugging in existing CA Certificates and executed the following command
istioctl manifest apply --set values.global.mtls.enabled=true,values.security.selfSigned=true
I was expecting istiod to be redeployed but it’s not instead I see the following error in istiod logs
2020-04-05T16:57:23.696459Z info grpc: Server.Serve failed to complete security handshake from “192.168.251.235:53086”: remote error: tls: unknown certificate authority
kubectl get pods -n istio-system
grafana-5cc7f86765-zc9rv 192.168.251.238
istio-egressgateway-598d7ffc49-wb5lk 192.168.251.235
istio-ingressgateway-7bd5586b79-xj2sl 192.168.251.236
istio-tracing-8584b4d7f9-6wdxp 192.168.251.239
istiod-646b6fcc6-cvw5j 192.168.251.222
kiali-696bb665-f4l6h 192.168.251.240
prometheus-6c88c4cb8-84z8j 192.168.251.241
Once I restart all these component I dont see any exception.I was expecting that as it is using default sds ,it should be reflected automatically.
At the same my certificates are having the same value ,I was expecting it to change at the runtime.But it did not
Issuer: O=cluster.local
URI:spiffe://cluster.local/ns/bookinfo/sa/bookinfo-details
Then I deleted the pods in bookinfo and see the issuer change.
Issuer: C=US, ST=California, L=Sunnyvale, O=Istio, CN=Istio CA
I would be thankful for any kind of explanation