Skip to content

[EV-6485] fix(istio): set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift#4538

Open
electricjesus wants to merge 1 commit intorelease-v1.40from
seth/ev-6485-cherry-pick-v1.40
Open

[EV-6485] fix(istio): set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift#4538
electricjesus wants to merge 1 commit intorelease-v1.40from
seth/ev-6485-cherry-pick-v1.40

Conversation

@electricjesus
Copy link
Member

@electricjesus electricjesus commented Mar 12, 2026

Summary

  • The embedded Istio Helm chart's OpenShift platform profile hardcodes trustedZtunnelNamespace: "kube-system", but the operator deploys ztunnel to calico-system
  • This causes istiod to set CA_TRUSTED_NODE_ACCOUNTS=kube-system/ztunnel, so it rejects all ztunnel impersonation requests with "request impersonation authentication failure"
  • Workloads in the ambient mesh cannot obtain SPIFFE certificates, causing connection resets (curl exit code 56) on all mesh traffic
  • Fix: explicitly set trustedZtunnelNamespace in the istiod Helm values to IstioNamespace (calico-system), overriding the OpenShift profile default

Changes

  • pkg/render/istio/config.go: Add TrustedZtunnelNamespace field to IstiodOpts struct
  • pkg/render/istio/istio.go: Set TrustedZtunnelNamespace: IstioNamespace in istiod chart values
  • pkg/render/istio/istio_test.go: Update OpenShift test assertion from kube-system/ztunnel to calico-system/ztunnel

Release Note

Set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShift

Fixes: https://tigera.atlassian.net/browse/EV-6485

Test plan

  • CI render tests pass (updated assertion)
  • Deploy on OpenShift cluster and verify CA_TRUSTED_NODE_ACCOUNTS=calico-system/ztunnel on istiod
  • Verify ztunnel can obtain SPIFFE certs (no impersonation errors in istiod logs)
  • Verify ambient mesh traffic flows (curl between pods returns 200)
  • Run DE journey test: istio-ambient-mode traffic encryption and Calico network policy enforcement

@electricjesus
fix(istio): set correct CA_TRUSTED_NODE_ACCOUNTS namespace on OpenShi…
eac1403 
…ft [EV-6485] (#4510)

The embedded Istio Helm chart's OpenShift platform profile hardcodes
trustedZtunnelNamespace to "kube-system", but the operator deploys
ztunnel to calico-system. This causes istiod to reject ztunnel
impersonation requests, preventing certificate issuance for ambient
mesh workloads and breaking all mesh traffic with connection resets.

Explicitly set trustedZtunnelNamespace in the istiod Helm values to
IstioNamespace (calico-system) so it overrides the profile default.
@electricjesus electricjesus requested a review from a team as a code owner March 12, 2026 15:45
@marvin-tigera marvin-tigera added this to the v1.40.8 milestone Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.40.8

Development

Successfully merging this pull request may close these issues.

2 participants

@electricjesus @marvin-tigera