Sidecar injection fails due to missing root certificate (x509: certificate signed by unknown authority)

I installed Istio with Helm (commit f7626af, only base and istio-discovery charts). Now, when creating a Pod, the sidecar injection fails with the following error from the Kubernetes API Server:

Error creating: Internal error occurred: failed calling webhook "": Post https://istiod.istio-system.svc:443/inject?timeout=10s: x509: certificate signed by unknown authority

When I look into the istio-sidecar-injector MutatingWebhookConfiguration, the caBundle field is missing from all the webhooks.

This issue is described under Sidecar Injection Problems in the Istio docs, and the advice is:

Verify the caBundle in the mutatingwebhookconfiguration matches the root certificate mounted in the istiod pod.

The instructions are to inspect root-cert.pem in a Secret (I guess this Secret should be istio-ca-secret and not istiod-service-account-token as indicated in the docs, as the former is the only Secret with a root-cert.pem field).

However, the content of the istio-ca-secret looks as follows:

  ca-cert.pem: REDACTED_CERT 
  ca-key.pem: REDACTED_KEY
  cert-chain.pem: null
  key.pem: null
  root-cert.pem: null

That is, root-cert.pem isn’t set at all (even though it probably should be set to an auto-generated self-signed certificate that is then also injected into the MutatingWebhookConfiguration).

Why Istio didn’t generate a root certificate and how can this be fixed?

It turned out that the issue was caused by a version mismatch between the Istio container images and the Istio Helm charts (charts fixed to a specific old version but the latest container images were used).

After pinning both chart and images to the exact same version (1.10.3), the issue was resolved.

The istio-ca-secret Secret still looks the same as in the first post in a functioning installation of Istio (1.10.3), i.e. root-cert.pem and the two other fields are null. However, the certificate in question seems to be in ca-cert.pem. This is the certificate that’s injected into the MutatingWebhookConfiguration.