Replies: 1 comment 2 replies
-
IIRC, it's unnecessary to reboot when you just change intermediate certificate from same root CA. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We use our own rootCA and we had a case where the intermediate CA certificate got expired, which we replaced but we had to restart all application workloads including pilot (istiod) and ingressgateways.
Is it possible for Istiod to push the newly re-issued certificates to each connected istio-proxy so that the restarts are not required ?
I went through some code and realized that SDS is served on istio-proxy and that SDS server has a SecretManager which has a client that calls istiod CA to issue a CSR and it gets the certificate, can someone please confirm if the there is no capability from istiod side to push certificates on the proxy ? Looks like proxy can just pull the certificates when the envoy agent asks for it.
Beta Was this translation helpful? Give feedback.
All reactions