automatically update istio-ca-root-cert when it is updated #1768
Description
Ztunnel loads the Istio CA root certificate once at startup and never reloads it. When the root cert is rotated (e.g. via the istio-ca-root-cert ConfigMap), existing ztunnel pods must be restarted to pick up the new cert. This causes UnknownIssuer errors during CA rotation until pods are restarted.
Instead ztunnel should use a file watcher approach similar to src/tls/crl.rs so when istio-ca-root-cert is rotated, ztunnel will pick up the changes automatically.
Example logs when a rotation happens without restarting ztunnel:
error cert_fetcher unable to prefetch cert for "spiffe://cluster.local/ns/flux-system/sa/source-controller", skipping, SigningRequest(Status { code: Unknown, message: "client error (Connect)", source: Some(client error (Connect)
Caused by:
invalid peer certificate: UnknownIssuer
Stack backtrace:
0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
1: <ztunnel::tls::control::TlsGrpcChannel as tower_service::Service<http::request::Request<tonic::body::Body>>>::call::{{closure}}
2: ztunnel::identity::caclient::CaClient::fetch_certificate::{{closure}}::{{closure}}
3: <ztunnel::identity::caclient::CaClient as ztunnel::identity::manager::CaClientTrait>::fetch_certificate::{{closure}}
4: <futures_util::stream::futures_unordered::FuturesUnordered<Fut> as futures_core::stream::Stream>::poll_next
5: ztunnel::identity::manager::Worker::new::{{closure}}
6: tokio::runtime::task::raw::poll
7: ztunnel::main
8: std::sys::backtrace::__rust_begin_short_backtrace
9: main
10: __libc_start_call_main
11: __libc_start_main_impl
12: _start) })
Metadata
Metadata
Assignees
Labels
No labels