Open dansimone opened 2 weeks ago
In the case of this spot in the code, for example, are there any valid reasons to skip adding the federated trust bundles just because update.HasIdentity()
is false? The code in that code block has no dependency on the identity.
Or, could/should this entire composeX509BundlesResponse()
function fail out if update.HasIdentity()
is false? Either of these behaviors would also have prevented this problem.
Thank you @dansimone for opening this issue.
Do you have the allow_unauthenticated_verifiers
agent setting set as true?
Our setup consists of:
In this setup, we've encountered a race condition that results in the istio-proxy being sent an incomplete trust bundle.
Here's the specific sequence that reproduces the problem (which can be reliably reproduced with some node-level iptables hacks to prevent the spire-agent from talking to port 10250):