Comments (5)
Hi @lokeshwaran100, thanks for opening the issue. I'm also interested in being able to do this in a less destructive way.
Another option could be to instead kill the istio-proxy container, which causes the container to restart, but not recycle the entire pod:
$ kubectl exec -it httpbin-577f7b7c47-r4mrj -c istio-proxy -- kill -s SIGINT 1
from istio-csr.
Hi @lokeshwaran100, thanks for opening the issue. I'm also interested in being able to do this in a less destructive way.
Another option could be to instead kill the istio-proxy container, which causes the container to restart, but not recycle the entire pod:
$ kubectl exec -it httpbin-577f7b7c47-r4mrj -c istio-proxy -- kill -s SIGINT 1
Hi @JoshVanL, Thank you. Terminating the istio-proxy container worked.
But this current approach to work, it is also required to delete istio-csr agent pod and istiod pod.
Will there be a better way to do this in future releases?
from istio-csr.
@lokeshwaran100 for istiod and istio proxies, this functionality needs to come from istio itself really. I believe CA rotation in a more first class way is something they would like to tackle in 2021.
If istio-csr is reading the CA from file, we could definitely do a better job in detecting changes and writing out the new bundle.
from istio-csr.
One potential solution to help would be to have another sidecar on the workloads running https://github.com/jimmidyson/configmap-reload,
which can watch when the trust bundle configmap changes and send a restart proxy call to the proxy api on localhost:15000/quitquitquit
.
I've tested that by just by rollout restarting istio-csr and calling quitquitquit manually it works.
This could slightly improve the management overhead if there is an easy way to inject the configmap watcher sidecar at deploy time, perhaps by extending istioctl kube-inject somehow.
A slight variation is using the more popular configmap watcher project which does a full blown restart on a configmap change: https://github.com/stakater/Reloader , which could be used on both istio-csr and the workload pods.
I will test this out and let you know what works best for me.
from istio-csr.
After further consideration it's probably not a good idea to run a watcher just for this particularly infrequent operation, can just have a step to run the exec SIGINT as suggested by @JoshVanL until Istio provides with a way to do this. Should note that any istio CA including citadel will have the exact same issue here.
from istio-csr.
Related Issues (20)
- istio-csr should seperate leases role permissions from cert-manager issuer namespace
- Third-party JWT issue HOT 1
- add the compatibility matrix for Kubernetes versions to README
- Add ability to annotate certificate requests generateed by istio-csr HOT 1
- Add custom annotations to deployment HOT 3
- charts.jetstack.io beding cluster presents a challenge and breaks deployment
- istio-csr vault integration - permission denied - Vault failed to sign certificate HOT 2
- Restarting a namespace with 30+ deployments causes errors in istio-csr which tends to reolve after a while. HOT 1
- Custom DNS support in istio-csr's istiod certificate HOT 1
- False positive warnings from trivy and dependabot HOT 2
- ClusterRole & ClusterRoleBindings for istio-csr
- TODO: tests - carotation creates two kind clusters
- Populate Subject Fields in Certificate HOT 1
- CSR generation always defaults to P256 curve due to missing parameter HOT 4
- It is not possible to provide SAN for istiod certificate HOT 2
- how to build oci image locally using make command HOT 1
- Istio sidecar can only request new cert using istio-token HOT 1
- Document / improve that sometimes the issuer needs to set `ca.crt`
- Image version is v0.0.0 HOT 4
- Getting Readiness probe failed when using cert-manager-istio-csr
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio-csr.