Error creating: Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": Post https://istiod.istio-system.svc:443/inject?timeout=10s: x509: certificate signed by unknown authority
When I look into the
istio-sidecar-injector MutatingWebhookConfiguration, the
caBundle field is missing from all the webhooks.
This issue is described under Sidecar Injection Problems in the Istio docs, and the advice is:
mutatingwebhookconfigurationmatches the root certificate mounted in the istiod pod.
The instructions are to inspect
root-cert.pem in a Secret (I guess this Secret should be
istio-ca-secret and not
istiod-service-account-token as indicated in the docs, as the former is the only Secret with a
However, the content of the
istio-ca-secret looks as follows:
data: ca-cert.pem: REDACTED_CERT ca-key.pem: REDACTED_KEY cert-chain.pem: null key.pem: null root-cert.pem: null
root-cert.pem isn’t set at all (even though it probably should be set to an auto-generated self-signed certificate that is then also injected into the MutatingWebhookConfiguration).
Why Istio didn’t generate a root certificate and how can this be fixed?