Comments (2)
Hi @SantiMunoz, can you verify that the CA being propagated is in-fact the CA that you are intending to propagate, and that the resulting certificates contain a full valid chain.
$ openssl verify -verbose -CAfile <(cat Intermediate.pem RootCert.pem) IstioCert.pem
RootCert.pem
should contain the CA that is being propergated.
Intermediate.pem
should be the intermediates as they appear in the CertificateRequest, not including the leaf certificate
IstioCert.pem
the leaf certificate
I think the problem here is that the CA loaded from istio-csr is not correctly propagated to these firsts CertificateRequests.
The CertificateRequests are signed and updated by the configured cert-manager Issuer. istio-csr is only responsible and capable of creating the resource and reading back what it is updated with.
from istio-csr.
@JoshVanL thanks again for your tips, I realised I was loading the wrong CA in istio-csr. Everything works as expected with the correct CA :)
from istio-csr.
Related Issues (20)
- Metrics scraped twice
- Subject Name in CSR HOT 1
- Allow changing the default istio namespace, independent of issuer HOT 2
- istio-csr should seperate leases role permissions from cert-manager issuer namespace
- Third-party JWT issue HOT 1
- add the compatibility matrix for Kubernetes versions to README
- Add ability to annotate certificate requests generateed by istio-csr HOT 1
- Add custom annotations to deployment HOT 3
- charts.jetstack.io beding cluster presents a challenge and breaks deployment
- istio-csr vault integration - permission denied - Vault failed to sign certificate HOT 2
- Restarting a namespace with 30+ deployments causes errors in istio-csr which tends to reolve after a while. HOT 1
- Custom DNS support in istio-csr's istiod certificate HOT 1
- False positive warnings from trivy and dependabot HOT 2
- ClusterRole & ClusterRoleBindings for istio-csr
- TODO: tests - carotation creates two kind clusters
- Populate Subject Fields in Certificate HOT 1
- CSR generation always defaults to P256 curve due to missing parameter HOT 4
- It is not possible to provide SAN for istiod certificate HOT 2
- how to build oci image locally using make command HOT 1
- Istio sidecar can only request new cert using istio-token HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio-csr.