istio-csr
istio-csr copied to clipboard
cert-manager
commonName required for AWS PCA
AWS PCA expects the commonName to be passed in as part of the CSR. Adding commonName: istiod.istio-system.svc in the Certificate.yaml file was all that was needed.
spec:
dnsNames:
- istiod.istio-system.svc
uris:
- spiffe://cluster.local/ns/istio-system/sa/istiod-service-account
secretName: istiod-tls
commonName: istiod.istio-system.svc
...
I don't mind creating a PR for this so let me know if that is preferred.
Thanks @bpotaczek! It is surprising to me that this works as the istio workloads themselves using the same Issuer don't have a CommonName set IIRC.
@bpotaczek Can help? I'm getting api error ValidationException: 1 validation error detected: Value '0' at 'validity.value' failed to satisfy constraint: Member must have value greater than or equal to 1 when using AWSPCAClusterIssuer as issuer. the cert manager works fine outside the istio-csr
can you please upload the certificate.yaml and is there any custom values except those?
issuer:
# -- Issuer name set on created CertificateRequests for both istio-csr's
# serving certificate and incoming gRPC CSRs.
name: private-root-ca
# -- Issuer kind set on created CertificateRequests for both istio-csr's
# serving certificate and incoming gRPC CSRs.
kind: AWSPCAClusterIssuer
# -- Issuer group name set on created CertificateRequests for both
# istio-csr's serving certificate and incoming gRPC CSRs.
group: awspca.cert-manager.io
Thanks
@assafmanzur that looks to be a different error. For testing you can use one of the example certs from the aws-pca project.
https://github.com/cert-manager/aws-privateca-issuer/blob/master/config/examples/certificates/rsa-2048.yaml
thanks @bpotaczek, Seems like the format of the duration 1h was the issue.. after updating to 2160h0m0s the certificateRequest was updated to true but now can't find where do I update the subject or change it to SAN
CSR must mark the SAN extension critical when it has an empty subject.