You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've connected cert-manager to a remote instance of Vault, where Vault is acting as my certificate issuer. However, I have some restraints generating certificates from this CA. Specifically i need to set a number of subject fields:
subject.localities
subject.organizationalUnits
subject.organization
subject.provinces
subject.countries
There does not seem to be a way to set these for the certificates that istio-csr is attempting to create. My istio-csr deployment is failing because it cannot issue the initial certificate because Vault will not issue certificates with wildcard values for those subject fields above.
Is there anyway for me to set these values? there does not seem to be in the istio-csr helm chart...
If there is not way to do this I suppose I will have to write a custom mutating webhook to handle this but would like to avoid doing so.
Thanks.
The text was updated successfully, but these errors were encountered:
It does this using the same flow that Istio CSRs use, by generating a CSR PEM and then calling the Sign method.
The issue is that the istio.io/istio/security/pkg/pki/util library used to generate the CSR PEM does not allow the explicit specification of the CommonName, which is something you require set by your Vault issuer.
The ideal solution would be instead generate the CSR PEM using alternative libraries (potentially the same one cert-manager uses), that allow us to specify the CommonName, then add a flag to allow users to configure the CommonName.
We must be careful not to change other behaviours and attributes of the CSR to ensure other users are not impacted.
It would also be worth validating that Istio itself produces CSRs with a common name, or you will hit this issue all over again later.
I've connected cert-manager to a remote instance of Vault, where Vault is acting as my certificate issuer. However, I have some restraints generating certificates from this CA. Specifically i need to set a number of subject fields:
There does not seem to be a way to set these for the certificates that istio-csr is attempting to create. My istio-csr deployment is failing because it cannot issue the initial certificate because Vault will not issue certificates with wildcard values for those subject fields above.
Is there anyway for me to set these values? there does not seem to be in the istio-csr helm chart...
If there is not way to do this I suppose I will have to write a custom mutating webhook to handle this but would like to avoid doing so.
Thanks.
The text was updated successfully, but these errors were encountered: