[BUG] e2e tests failing on release-1.0 branch #1449
Description
Is this the right place to submit this?
- This is not a question about how to use the sail-operator
Bug Description
Failing tests:
Summarizing 1 Failure:
[FAIL] Ambient configuration for supported versions Istio version 1.24.4 when sample apps are deployed in the cluster [It] can access the httpbin service from the sleep pod [smoke, ambient]
/home/prow/go/src/github.com/istio-ecosystem/sail-operator/tests/e2e/ambient/ambient_test.go:388
Prow dashboard: https://prow.istio.io/pr-history/?org=istio-ecosystem&repo=sail-operator&pr=1401
Observations:
The failures happened because the ztunnel pods couldn’t resolve or reach the Istio CA endpoint at istiod.istio-system.svc:15012. The control plane and data plane started up fine, but the DNS or network issue kept ztunnel from getting the workload certificates for the httpbin and sleep pods. Without those certificates, mTLS and HBONE traffic couldn’t be set up, which led to the basic connectivity test failing.
Its the same error even with the dual-stack job.
Following is the error message from the ztunnel pod.
2025-11-27T14:13:59.603382Z error cert_fetcher unable to prefetch cert for "spiffe://cluster.local/ns/httpbin/sa/httpbin", skipping, SigningRequest(Status { code: Unknown, message: "client error (Connect)", source: Some(client error (Connect)
Caused by:
0: dns error: failed to lookup address information: Name or service not known
1: failed to lookup address information: Name or service not known
Stack backtrace:
0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
1: <ztunnel::tls::control::TlsGrpcChannel as tower_service::Service<http::request::Request<http_body_util::combinators::box_body::UnsyncBoxBody<bytes::bytes::Bytes,tonic::status::Status>>>>::call::{{closure}}
2: ztunnel::identity::caclient::CaClient::fetch_certificate::{{closure}}::{{closure}}
3: <ztunnel::identity::caclient::CaClient as ztunnel::identity::manager::CaClientTrait>::fetch_certificate::{{closure}}
4: <futures_util::stream::futures_unordered::FuturesUnordered<Fut> as futures_core::stream::Stream>::poll_next
5: ztunnel::identity::manager::Worker::run::{{closure}}
6: ztunnel::identity::manager::Worker::new::{{closure}}
7: tokio::runtime::task::raw::poll
8: ztunnel::main
9: std::sys::backtrace::__rust_begin_short_backtrace
10: main
11: __libc_start_call_main
12: __libc_start_main_alias_1
13: _start) })
2025-11-27T14:13:59.606040Z error cert_fetcher unable to prefetch cert for "spiffe://cluster.local/ns/sleep/sa/sleep", skipping, SigningRequest(Status { code: Unknown, message: "client error (Connect)", source: Some(client error (Connect)
Caused by:
0: dns error: failed to lookup address information: Name or service not known
1: failed to lookup address information: Name or service not known
Operator Version
release-1.0 with Istio 1.24.x
Link to Gist with Logs
No response
Additional Information
No response