-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio 1.21+ unable to get OS CA certificate bundle from SPIRE #5687
Comments
Found out what causes the issue. Istio 1.21 switched to verifying server certificates at proxies by default. This leads to Istio proxies (both gateways and sidecars) trying to procure the operating system's CA by asking the SDS service for the Setting The above workaround is not ideal as we need to have proxies verify TLS certificates coming from external servers. |
Hi @vassilvk , thank you for opening this. I briefly read through the provided links .. can you confirm the exact Istio behavior change? Is it that the gateway previously handled TLS for connections to external services and then spoke MTLS back to the client ... and now, external connections can pass through and sidecars can directly validate TLS certificates presented by external services? |
Hi @evan2645, The difference in Istio behavior is caused by a change in the default value of the The use case that leads to issues with SPIRE is as follows: When the Istio proxy attempts to speak TLS (not mTLS) to an endpoint, when So that's all good. If, however, the When the proxy is configured to pull its secrets from an SDS stream, it will try to get the operating system's CA bundle by asking the SDS service (in our case SPIRE) for a resource called My question is, does it make sense to add support for resource |
Thank you @vassilvk - yes I think it will make sense to support this, just trying to make sure I fully understand first
When this flag is set to false as it was before .. what is the behavior? Gateway validates server-side cert on the client's behalf? Or something else? |
When |
Not sure if this is an Istio or a SPIRE issue, however, after following this Istio + SPIRE guide, the Istio gateway pods detect the SPIRE-provided SDS API (as expected), however, they fail to obtain certificates from their SPIRE agents.
The gateway proxy logs contain a series of the following warning message:
The SPIRE agents log the following corresponding message:
The SPIRE infrastructure was deployed using spire helm chart version 0.24.1 (app version 1.11.0).
The
ClusterSPIFFEID
CRDs for the Istio gateway pods function correctly - I can see the SPIFFE registration entries for the gateway pods added to the SPIRE server.What I don't see is an entry for identity
file-root:system
.Not sure why the gateway is attempting to obtain a certificate for identity
file-root:system
, but looking at Istio's code this indicates that the proxy is asking for the OS root certificates.I understand that this might be a an Istio question, but I figured someone here might have experienced the same.
The text was updated successfully, but these errors were encountered: