istio 1.5 breaks secret handling for mTLS
See original GitHub issueDescribe the bug
istio
1.5 introduces a breaking change to how secrets are handled. Secrets are no longer written into the namespace, which is how ambassador currently consumes the secrets for use in mTLS.
This only applies to STRICT
mode in mTLS and only applies if you directly install istio
1.5 as a fresh install via istioctl
. If you are upgrading from 1.4 to 1.5 then the old secret infrastructure remains. See https://discuss.istio.io/t/istios-helm-support-in-2020/5535/12 for confirmation of this behavior.
See the upgrade notes for more in-depth explanations of what is changing in regards to secrets.
To Reproduce Steps to reproduce the behavior:
- Install istio 1.5 using
istioctl
as a fresh install. Ensure you are using strict mTLS. - Install Ambassador (any version post 1.0)
- Configure TLS by following the istio documentation
- Configure a mapping to use the new TLSContext
- Attempt to curl that mapping. You will see a ‘connection reset’ error due to the lack of secret availability as the istio sidecar will reject the request.
Expected behavior
Ambassador needs to either change to read via the new grpc secret method or use istio sidecars so that the current deployment solutions continue to work without interruption when using strict mTLS.
Additional context
We will also need to upgrade documentation to provide paths for upgrading istio
installations. The decision on the part of the istio
team to have different behavior depending on whether you perform a fresh install or are upgrading means that we will need to provide instructions on both paths.
Issue Analytics
- State:
- Created 3 years ago
- Comments:16 (6 by maintainers)
To add to the comment above I have a feeling that I am also going to be in a similar boat sometime in the near future. We’re heavily invested in both Ambassador and istio but to be honest I’m going to have a tough time convincing people that we shouldn’t ditch Ambassador since istio functionality usage is more widespread.
Unfortunately I don’t have the bandwidth right now to really dive deep into Ambassador source to look for a solution. If that changes in the future I’ll post my findings here.
This should be fixed in Ambassador 1.10. Check out https://www.getambassador.io/docs/latest/howtos/istio/ for the docs. 🙂