Repairing Citadel

Citadel is not a critical data plane component. The default workload certificate lifetime is 3 months. Certificates will be rotated by Citadel before they expire. If Citadel is disabled for short maintenance periods, existing mutual TLS traffic will not be affected.

If you suspect Citadel isn’t working properly, verify the status of the istio-citadel pod:

$ kubectl get pod -l istio=citadel -n istio-system
NAME                                     READY     STATUS   RESTARTS   AGE
istio-citadel-ff5696f6f-ht4gq            1/1       Running  0          25d

If the istio-citadel pod doesn’t exist, try to re-deploy the pod.

If the istio-citadel pod is present but its status is not Running, run the commands below to get more debugging information and check if there are any errors:

$ kubectl logs -l istio=citadel -n istio-system
$ kubectl describe pod -l istio=citadel -n istio-system

If you want to check a workload (with default service account and default namespace) certificate’s lifetime:

$ kubectl get secret -o json istio.default -n default | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -noout -text | grep "Not After" -C 1
  Not Before: Jun  1 18:23:30 2019 GMT
  Not After : Aug 30 18:23:30 2019 GMT
Subject: