PREQUEL-2025-0010
Telepresence agent-injector certificate reload failureHighImpact: 8/10Mitigation: 4/10
Description
Telepresence 2.5.x versions suffer from a critical TLS handshake error between the mutating webhook and the agent injector. \nWhen the certificate is rotated or regenerated, the agent-injector pod fails to reload the new certificate, causing all \nadmission requests to fail with \"remote error: tls: bad certificate\". This effectively breaks the traffic manager's ability \nto inject the agent into workloads, preventing Telepresence from functioning properly.\n
Mitigation
Short-term fixes:\n- Manually rotate the certificate and restart the injector: \nkubectl -n ambassador delete secret mutator-webhook-tls\nhelm upgrade traffic-manager datawire/telepresence --reuse-values\nkubectl -n ambassador rollout restart deploy/agent-injector\nLong-term solution:\n- Upgrade Telepresence to version 2.18.1 or later, which includes fixes for certificate rotation:\nhelm upgrade traffic-manager datawire/telepresence --version=2.18.1 --reuse-values\n- When upgrading, use the new \"agentInjector.certificate.regenerate\" Helm option to safely rotate certificates\n- Set up a maintenance schedule to ensure timely upgrades of critical service mesh components\n