question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

istio 1.5 breaks secret handling for mTLS

See original GitHub issue

Describe the bug

istio 1.5 introduces a breaking change to how secrets are handled. Secrets are no longer written into the namespace, which is how ambassador currently consumes the secrets for use in mTLS.

This only applies to STRICT mode in mTLS and only applies if you directly install istio 1.5 as a fresh install via istioctl. If you are upgrading from 1.4 to 1.5 then the old secret infrastructure remains. See https://discuss.istio.io/t/istios-helm-support-in-2020/5535/12 for confirmation of this behavior.

See the upgrade notes for more in-depth explanations of what is changing in regards to secrets.

To Reproduce Steps to reproduce the behavior:

  1. Install istio 1.5 using istioctl as a fresh install. Ensure you are using strict mTLS.
  2. Install Ambassador (any version post 1.0)
  3. Configure TLS by following the istio documentation
  4. Configure a mapping to use the new TLSContext
  5. Attempt to curl that mapping. You will see a ‘connection reset’ error due to the lack of secret availability as the istio sidecar will reject the request.

Expected behavior

Ambassador needs to either change to read via the new grpc secret method or use istio sidecars so that the current deployment solutions continue to work without interruption when using strict mTLS.

Additional context

We will also need to upgrade documentation to provide paths for upgrading istio installations. The decision on the part of the istio team to have different behavior depending on whether you perform a fresh install or are upgrading means that we will need to provide instructions on both paths.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:16 (6 by maintainers)

github_iconTop GitHub Comments

3reactions
ppeblecommented, Oct 30, 2020

To add to the comment above I have a feeling that I am also going to be in a similar boat sometime in the near future. We’re heavily invested in both Ambassador and istio but to be honest I’m going to have a tough time convincing people that we shouldn’t ditch Ambassador since istio functionality usage is more widespread.

Unfortunately I don’t have the bandwidth right now to really dive deep into Ambassador source to look for a solution. If that changes in the future I’ll post my findings here.

2reactions
kflynncommented, Jan 4, 2021

This should be fixed in Ambassador 1.10. Check out https://www.getambassador.io/docs/latest/howtos/istio/ for the docs. 🙂

Read more comments on GitHub >

github_iconTop Results From Across the Web

istio 1.5 breaks secret handling for mTLS · Issue #2587 - GitHub
istio 1.5 introduces a breaking change to how secrets are handled. Secrets are no longer written into the namespace, which is how ambassador ......
Read more >
Istio 1.5 Upgrade Notes
In Istio 1.5, secrets are no longer written to each namespace. Instead, they are only served over gRPC. This functionality has been moved...
Read more >
Istio / Security
The server's installed Istio sidecar takes mutual TLS traffic immediately without breaking existing plaintext traffic. As a result, the operator can gradually ...
Read more >
Istioldie 1.5 / Automatic mutual TLS
With Istio auto mutual TLS feature, you can adopt mutual TLS by only configuring authentication policy without worrying about destination rule. Istio tracks...
Read more >
Istioldie 1.5 / Security
The Istio security features provide strong identity, powerful policy, transparent TLS encryption, and authentication, authorization and audit (AAA) tools to ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found