Root certificate expiry logs in Istio-Citadel

I have a cluster that is about a week old, and I started seeing ingress failures after enabling ISTIO_MUTUAL on the destination rules. I didn’t see 100% failure but specific ingress pods returned 503s, while others worked normally. Disabling MTLS fixed the failing ingress pods.

I am seeing these logs repeatedly in istio-citadel. Istio-citadel is refreshing all the secrets repeatedly.

2019-06-07T00:10:18.005207Z	info	Refreshing secret kube-system/istio.heapster, either the leaf certificate is about to expire or the root certificate is outdated

Is there a reason why this happens? I use the same code to build clusters, but ran into this specifically in one cluster only.

@Oliver for the root certificate expire issue.