|
1 | 1 | --- |
2 | 2 | title: Istio service mesh add-on plug-in CA certificate troubleshooting |
3 | 3 | description: Learn how to do plug-in CA certificate troubleshooting on the Istio service mesh add-on for Azure Kubernetes Service (AKS). |
4 | | -ms.date: 07/16/2024 |
| 4 | +ms.date: 03/04/2025 |
5 | 5 | author: deveshdama |
6 | 6 | ms.author: ddama |
7 | 7 | editor: v-jsitser |
@@ -43,7 +43,7 @@ This article discusses common troubleshooting issues with the Istio add-on plug- |
43 | 43 |
|
44 | 44 | - For the cluster to auto-detect changes in the Azure Key Vault secrets, you have to enable [auto-rotation](/azure/aks/csi-secrets-store-configuration-options#enable-and-disable-auto-rotation) for the Azure Key Vault secrets provider add-on. |
45 | 45 |
|
46 | | -- Although changes to the intermediate certificate are applied automatically, changes to the root certificate are only picked up by the control plane after the `istiod` deployment is restarted by a cronjob that the add-on deploys, as explained in the [Deployed resources](#deployed-resources) section. This cronjob runs at a 10-minute interval. |
| 46 | +- Changes to the root and intermediate certificates are applied automatically. |
47 | 47 |
|
48 | 48 | ## Enable the Istio add-on to use a plug-in CA certificate |
49 | 49 |
|
@@ -119,35 +119,6 @@ As part of the add-on deployment for the plug-in certificates feature, the follo |
119 | 119 | -----END CERTIFICATE----- |
120 | 120 | ``` |
121 | 121 |
|
122 | | -- The `istio-cert-validator-cronjob-asm-1-21` [cronjob object](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) is created in the `aks-istio-system` namespace. This cronjob is scheduled to run every 10 minutes to check for updates on the root certificate. If the root certificate that's in the `cacerts` Kubernetes secret doesn't match the `istio-ca-root-cert` configmap in the `aks-istio-system` namespace, it restarts the `istiod-asm-1-21` deployment: |
123 | | - |
124 | | - ```bash |
125 | | - kubectl get cronjob --namespace aks-istio-system |
126 | | - ``` |
127 | | - |
128 | | - ```output |
129 | | - NAME SCHEDULE SUSPEND ACTIVE |
130 | | - istio-cert-validator-cronjob-asm-1-21 */10 * * * * False 0 |
131 | | - ``` |
132 | | - |
133 | | - You can run the following command to check the cronjob logs for the last run: |
134 | | - |
135 | | - ```bash |
136 | | - kubectl logs --namespace aks-istio-system $(kubectl get pods --namespace aks-istio-system | grep 'istio-cert-validator-cronjob-' | sort -k8 | tail -n 1 | awk '{print $1}') |
137 | | - ``` |
138 | | - |
139 | | - This command generates one of the following output messages, depending on whether a root certificate update was detected: |
140 | | - |
141 | | - ```output |
142 | | - Root certificate update not detected. |
143 | | - ``` |
144 | | - |
145 | | - ```output |
146 | | - Root certificate update detected. Restarting deployment... |
147 | | - deployment.apps/istiod-asm-1-21 restarted |
148 | | - Deployment istiod-asm-1-21 restarted. |
149 | | - ``` |
150 | | - |
151 | 122 | ## Determine certificate type in deployment logs |
152 | 123 |
|
153 | 124 | You can view the `istiod` deployment logs to determine whether you have a self-signed CA certificate or a plug-in CA certificate. To view the logs, run the following command: |
|
0 commit comments