spire
spire copied to clipboard
spiffe
workload is not authorized for the requested identities
after following the spire guide https://istio.io/latest/docs/ops/integrations/spire/ to install SPIFFE I'm getting the following error on my ingress-gateway
2022-08-09T15:39:26.825395Z warning envoy config StreamSecrets gRPC config stream closed: 3, workload is not authorized for the requested identities ["file-root:/etc/istio/shared/certs/cert-chain.pem"]
2022-08-09T15:39:31.818079Z warning envoy config StreamSecrets gRPC config stream closed: 3, workload is not authorized for the requested identities ["file-cert:/etc/istio/ingress-gateway/certs/tls.crt~/etc/istio/ingress-gateway/certs/tls.key
BTW, I'm using a self signed certificates on my ingress-gateway
Is there something I'm missing or do I need to register those worklods? Any guidance would be appreciated
BTW, I'm using a self signed certificates on my ingress-gateway
Why are you using self signed certificates? You are trying to make the ingress-gateway get its certificates from SPIRE, right?
Is there something I'm missing or do I need to register those worklods? Any guidance would be appreciated
Yes, you need to register the workload; in the guide there's an example for the ingress workload. You need to also check that the SPIRE agent socket is mounted in the ingress pod.
Those SDS resource names ("file-root:/etc/istio/shared/certs/cert-chain.pem" and ""file-cert:/etc/istio/ingress-gateway/certs/tls.crt~/etc/istio/ingress-gateway/certs/tls.key") also look abnormal. SPIRE is expecting either default resource names (i.e. "default" for the SVID, "ROOTCA" for the bundle) or specific SPIFFE IDs for those resources.
I'm trying to setup a multi-mesh cluster between two cluster using eastwest gateways, and I been following https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/ to generate self signed certs for both my clusters using a root ca. I got the multimesh to work, however when I introduce spire on top, it just stops working and I start getting the above errors. The need to use SPIRE in the multimesh clusters came from the Istio deployment model docs Trust between meshes https://istio.io/latest/docs/ops/deployment/deployment-models/#trust-between-meshes I was under the impression it is a required piece in the multimesh setup
I think this is just a lack of understanding from my side, if SPIRE is generating my certs and I can able to share bundles between my clusters, how I can use those certs in my gateway and destionation rules when doing cross-cluster communication?
Looks like there could be a misconfiguration. @maxlambrecht could you help on this?
I'm trying to setup a multi-mesh cluster between two cluster using eastwest gateways, and I been following https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/ to generate self signed certs for both my clusters using a root ca. I got the multimesh to work, however when I introduce spire on top, it just stops working and I start getting the above errors. The need to use SPIRE in the multimesh clusters came from the Istio deployment model docs Trust between meshes https://istio.io/latest/docs/ops/deployment/deployment-models/#trust-between-meshes I was under the impression it is a required piece in the multimesh setup
SPIRE is not a required piece in the multimesh setup, you can just do it with the deployment models from the istio docs. On the other hand, if you want to use SPIRE to leverage its attestation capabilities among other things, you can use it to achieve multi-mesh trust. You need to decide if you want to have one trust domain per cluster and federate them using SPIFFE Federation or use just one trust domain. I'd suggest trying to use one trust domain-one SPIRE deployment to provide the certs to both clusters. You can follow the guide in istio docs and I recommend installing the spire controller manager to automatically generate all the registration entries, it will generate also the registration entry for the ingress gateway so it can get the certs to do mTLS.
I got the multimesh to work, however when I introduce spire on top, it just stops working
I'm no Istio expert, but the docs you linked to, and the sample, both mention that SPIRE must be installed into the cluster prior to installing Istio.
