Josh van Leeuwen
Josh van Leeuwen
Hi @lokeshwaran100, thanks for opening the issue. I'm also interested in being able to do this in a less destructive way. Another option could be to instead kill the istio-proxy...
@lokeshwaran100 for istiod and istio proxies, this functionality needs to come from istio itself really. I believe CA rotation in a more first class way is something they would like...
Thanks, I agree we shouldn't _require_ that the metrics service is enabled for the service monitor. Though I don't think there is a need to remove the _option_ for a...
Thanks @bpotaczek! It is surprising to me that this works as the istio workloads themselves using the same Issuer don't have a CommonName set IIRC.
Hi @shinderupesh, both outputs look to be expected dependant on the istio version you are using. On 1.13: ```terminal $ git checkout 1.13.2 $ $ grep -nir . -e "Citadel...
Hi @hari-vamsikrishna, you can change the maximum requested duration using the istio-csr flag `--max-client-certificate-duration=1h` however is istio workloads request for shorter than that, then istio-csr will request that duration.
Hi @nicop311, the `ca.pem` file referenced should contain the root CAs that you would like your istio cluster to trust (including and likely only the CA of your issuer). If...
Hi @ceastman-r7, do you mean it is repeated once for each namespace, or is continuously logged for every namespace over and over again? If the latter, then this suggests that...
Yes, sounds like to me istiod might be missing this configuration https://github.com/cert-manager/istio-csr/blob/4200304ed29471f4bde2c499da7e60614e69efeb/hack/istio-config-1.13.4.yaml#L20
This thread should be of help 🙂 https://github.com/cert-manager/istio-csr/issues/113