Enabling mTLS in STRICT Mode with Open Policy Agent

When configuring mutual TLS (mTLS) in STRICT mode within an Istio cluster that utilizes Open Policy Agent (OPA), you may encounter errors during pod creation. One such error message is:

Error from server (InternalError): Internal error occurred: failed calling webhook "istio.openpolicyagent.org": failed to call webhook: Post "https://admission-controller.opa-istio.svc:443/v0/data/istio/inject?timeout=10s": x509: certificate is not valid for any names, but wanted to match admission-controller.opa-istio.svc

This error typically indicates an issue with the TLS certificate used by the OPA admission controller. Here are some steps to help you diagnose and resolve the problem:

Steps to Troubleshoot

  1. Verify Peer Authentication Configuration: Ensure that you have correctly set up the peer authentication policy for the istio-system namespace with the mode set to STRICT. This configuration is essential for enforcing mTLS.

  2. Check Certificate Validity: The error suggests that the certificate presented by the OPA admission controller is not valid for the expected service name. You can check the certificate details using the following command:

    kubectl get secret -n opa-istio admission-controller-cert -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -text -noout

    Look for the Subject Alternative Name (SAN) field to ensure it includes admission-controller.opa-istio.svc.

  3. Inspect OPA Logs: Check the logs of the OPA admission controller for any additional error messages that could provide further insights into the issue. Use:

    kubectl logs -l app=opa -n opa-istio

  4. Namespace Isolation: If you can create pods in other namespaces that do not have OPA injection enabled (i.e., opa-istio-injection=enabled), it suggests that the issue is isolated to the configuration in the istio-system namespace. Review any specific configurations or policies applied there.

  5. Consult Community Resources: If the issue persists, consider reaching out to community forums or checking existing issues on the Open Policy Agent GitHub repository for similar cases and potential solutions.

By following these steps, you should be able to identify the root cause of the issue and successfully enable mTLS in STRICT mode with OPA in your Istio cluster.