Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Ambassador doesn't like Istio mTLS secrets

See original GitHub issue

Describe the bug The Ambassador with Istio guide (https://www.getambassador.io/user-guide/with-istio) suggests to use the following annotation to attach Istio secrets:

apiVersion: ambassador/v1
  kind:  TLSContext
  name: istio-upstream
  hosts: []
  secret: istio.default

Which does not work with the following error:

ambassador.default.1: TLSContext istio-upstream found no certificate in secret istio in namespace default, ignoring...

Upon inspection of the source code https://github.com/datawire/ambassador/blob/528b16c14d26cece0be7719403debf6577e2e097/ambassador/ambassador/ir/ir.py#L291 it looks like the secret name istio.default is parsed incorrectly because the routine assumes that secret name is everything before dot (e.g. istio).

To Reproduce Just try to follow the guide: https://www.getambassador.io/user-guide/with-istio It cannot work because istio.default secret name will be parsed as istio.

Expected behavior If you want to have namespace qualification for secrets, than I think it should be possible to do dot escaping, something like istio\.default to support cases where secret has dot in its name.

Versions (please complete the following information):

Ambassador: 0.60.1
Kubernetes environment: Minikube
Version: k8s 1.14.0

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:13 (3 by maintainers)

Top GitHub Comments

4reactions

tomburnscommented, Apr 29, 2019

+1, my team ran into this on Friday – is the Istio mutual TLS scenario described in the documentation no longer supported?

1reaction

iNoahNothingcommented, Apr 30, 2019

Thank you for reporting this issue. It appears I did not completely check the correctness of the change to the documentation before publishing it.

Short term, the solution is to simply rollback to the old method of mounting the secret in a volume in the Ambassador container and use it there. Long term, we should work on getting this to work using a TLSContext for the sake of configuration uniformity.

The documentation rollback is happening now and should be completed soon. You can then follow that document to enable mTLS between Ambassador and Istio. I apologize for the inconvenience this has caused and appreciate the effort put in to reporting this issue.