Keith Mattix II
Keith Mattix II
The key to zero downtime rotation is to add both CA chains to the trust chain for a while until all proxies have been restarted and are issued with the...
You'll also need another field in meshconfig as well as an env var on istiod; this comment breaks it all down: https://github.com/istio/istio/issues/39935#issuecomment-1190577755
Ah, so were you using the plugin CA feature of Istio?
This might have something to do with https://github.com/Azure/AKS/issues/3646
So to make sure I'm understanding: you're trying to deny traffic to that service from ns3?
Thanks; just confirming. I think the issue here is that your application is doing TLS meaning that the request is encrypted. When the traffic is encrypted, Envoy doesn't have access...
That's...a really good point. I knew that but I didn't make the connection because the doc said we supported it. Looks like the action item here is to prune that...
Can we add some sort of "super leader" or priority process in the next release, not use it, and then once every supported release has it, use it to change...
@vikaschoudhary16 basically what you're saying is that there will never be two leaders for the same revision post upgrade. Is that correct?
If that's true, then I feel like this is probably safeish. I'm no expert in the leader election code so I'll let other folks weigh in