Checking OSM-injected pod’s client certificate status
As you know, Open Service Mesh leverages mTLS to enforce authentication and authorization logic across services belonging to the mesh.
Each OSM-injected pod will get a client certificate that will be presented to other mesh members for every interaction. If you happen to encounter 503 return codes, or filterchainnot_found kind of issues when trying to call other meshed services, this might be due to:
- An expired client certificate
- No client certificate at all
By default, each certificate is valid for 24 hours and must thus be rotated by OSM. From time to time, it appears that some certs are not rotated correctly.
You can double-check this by performing a GET HTTP request against http://127.0.0.1:15000/certs, an endpoint made available by the Envoy API, which returns all the certs known by Envoy.
Make sure to check the expiry date and time of your certificate. In case it is expired or even absent, the only solution is to restart the pod.