Josh van Leeuwen

Are there any other logs @mvkzzz? Also, was the pod ever in a healthy state and has it requested its serving certificate successfully?

Is the referenced issuer ready, and there are no pending CertificateRequests?

You have referenced an Issuer named istio-ca. This should be in the istio-system namespace. kubectl get issuers -n istio-system You can read about the Issuer and CertificateRequest resources here: https://cert-manager.io/docs/configuration/...

Yep, looks like you are referencing an issuer that doesn’t yet exist.

@mvkzzz, please review the documentation for the [SelfSigned Issuer](https://cert-manager.io/docs/configuration/selfsigned/) where that annotation is required. The SelfSigned Issuer is not appropriate for signing istio workloads against because this will not produce...

@mvkzzz The keys and certs are kept in memory as far as I'm aware. You might be able to discover them, or at least the certificate, via istioctl: ``` $...

Hi @neerajaustin, glad you like the project :) istio-csr acts as the RA for istio which will hand off requests to the configured cert-manager CA once it's happy. Since we...

@lokeshwaran100 istio-csr is responsible for verifying whether the contents of the incoming CSR matches the requestors identity. In istio, this maps a Kubernetes ServiceAccount into a spiffe ID as a...

Thanks for the detailed issue @xUnholy! I've drawn over your diagram a bit which hopefully should help things (apologies for my use of paint :joy:).  The flow for...

@xUnholy that does seem odd to me. Could you have a look at the root CA that is passed to the istio proxy to make sure it is the root...