mTLS Certificate Expiration Cascade
criticalExpired or failing-to-rotate certificates cause widespread service-to-service authentication failures, resulting in complete traffic loss between services when mTLS is in STRICT mode.
Monitor istio_citadel_server_root_cert_expiry_timestamp and istio_citadel_server_cert_chain_expiry_timestamp for upcoming expirations (within 7 days). Track istio_citadel_server_authentication_failure for authentication errors. Check istio_citadel_server_success_cert_issuance to confirm certificates are being issued successfully.
Set up alerts for certificates expiring within 30 days. If certificates have expired, temporarily switch PeerAuthentication mode to PERMISSIVE to restore traffic while fixing certificate rotation. Verify istiod can reach all sidecars for certificate distribution. Check for network policies blocking mTLS traffic on port 15012. Force certificate regeneration by restarting istiod if rotation is stuck.