Certificate-rotation by placing both RootA and RootB in root-cert (trusting both) isn't working in Istio 1.7 #1
Comments
|
First of all thanks for the great blog post. I tried it on Istio 1.7.3. I see the same issues as @sandeep1699 noticed. httpbin pod doesn't go to 2/2 state. default httpbin-fb485c697-khqsw 1/2 Running 0 Warning Unhealthy 5m51s (x14 over 6m17s) kubelet Readiness probe failed: Get "http://10.0.0.248:15021/healthz/ready": dial tcp 10.0.0.248:15021: connect: connection refused Apart from this issue I noticed another one. Commands which involve "istio-security" in this script https://github.com/christian-posta/istio-demos/blob/master/cert-rotation/check-current-istio-certs.sh doesn't execute it. |
Hi @christian-posta
This is really a great article, https://blog.christianposta.com/diving-into-istio-1-6-certificate-rotation/)
I followed the steps in this video "PART4 -- Rotating intermediate certificates (different root)", executed the script ./demo-multiple-roots-intermediate.sh
but at the end when the httpbin is restarted the envoy-proxy is not coming up.
Error:
warning envoy config StreamAggregatedResources gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected
I am using Istio 1.7. Something needs to be changed to make this work for 1.7?
The text was updated successfully, but these errors were encountered: