Populate Subject Fields in Certificate #244
Comments
|
Based on the conversation in the bi-weekly meeting we identified that when the istio-csr starts it requests a certificate for itself: https://github.com/cert-manager/istio-csr/blob/main/pkg/tls/tls.go#L294-L314 It does this using the same flow that Istio CSRs use, by generating a CSR PEM and then calling the The issue is that the The ideal solution would be instead generate the CSR PEM using alternative libraries (potentially the same one cert-manager uses), that allow us to specify the CommonName, then add a flag to allow users to configure the CommonName. We must be careful not to change other behaviours and attributes of the CSR to ensure other users are not impacted. It would also be worth validating that Istio itself produces CSRs with a common name, or you will hit this issue all over again later. |
I've connected cert-manager to a remote instance of Vault, where Vault is acting as my certificate issuer. However, I have some restraints generating certificates from this CA. Specifically i need to set a number of subject fields:
There does not seem to be a way to set these for the certificates that istio-csr is attempting to create. My istio-csr deployment is failing because it cannot issue the initial certificate because Vault will not issue certificates with wildcard values for those subject fields above.
Is there anyway for me to set these values? there does not seem to be in the istio-csr helm chart...
If there is not way to do this I suppose I will have to write a custom mutating webhook to handle this but would like to avoid doing so.
Thanks.
The text was updated successfully, but these errors were encountered: