Unable to set up mTLS on the gateway. If I set gateway mode: MUTUAL then istio-ingressgateway outputs
Failed to load trusted CA certificates from <inline>. I am using Cloudflare origin pull CA cert. With the mode: SIMPLE secret works as expected.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
generatorOptions:
disableNameSuffixHash: true
secretGenerator:
- name: mysite.com-cer
namespace: istio-system
type: kubernetes.io/tls
files:
- tls.key=certs/mysite.com.key
- tls.crt=certs/mysite.com.cer
- ca.crt=certs/cloudflare-ca.crt
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gw
spec:
servers:
- hosts:
- 'mysite.com'
- '*.mysite.com'
port:
number: 1443
name: https
protocol: HTTPS
tls:
mode: MUTUAL
credentialName: mysite.com-cer
Istio 1.12.1
Check the contents of the ca.crt value in the generated secret and make sure it is a valid certificate.
Failed to load trusted CA certificates from <inline> indicates the the certificate is empty or invalid.