I have a cluster that is about a week old, and I started seeing ingress failures after enabling ISTIO_MUTUAL on the destination rules. I didn’t see 100% failure but specific ingress pods returned 503s, while others worked normally. Disabling MTLS fixed the failing ingress pods.
I am seeing these logs repeatedly in istio-citadel. Istio-citadel is refreshing all the secrets repeatedly.
2019-06-07T00:10:18.005207Z info Refreshing secret kube-system/istio.heapster, either the leaf certificate is about to expire or the root certificate is outdated
Is there a reason why this happens? I use the same code to build clusters, but ran into this specifically in one cluster only.