You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Good afternoon, I have configured the cluster by default, I sign the certificate in vault, tls.crt appears in the secret - in which the certificate itself and the issuer. ca.crt - in which the root-CA signed the issuer. And also tls.key. If you add this certificate to the gateway istio, then the site will return only the server and publisher certificate, without the root-CA - it turns out istio does not read the ca.crt file, and in order for the site to have a complete chain - you need to edit tls.crt and add it contains the contents of ca.crt. You can somehow implement it in cert-managere - adding the contents of ca.crt to tls.crt.
I have a hypothesis that tls.crt is formed from the Vault response - issuing_ca+certificate. Is it possible to make an option in which tls.crt = certificate+ca_chain?
---
apiVersion: v1
kind: Secret
metadata:
name: cert-manager-jenkins-approle
namespace: jenkins
data:
secretId: ZjIyNmJkNjAtZTM2Ny02ODFiLTk1NTQtMzY1MGU0Y2FjN2E3
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: jenkins-issuer
namespace: jenkins
spec:
vault:
path: int_istio/sign/peer_policy
server: https://192.168.137.2:8200/
caBundle: <>
auth:
appRole:
path: approle_ift
roleId: "a171bec3-c145-a400-99bb-07addaee9f7b"
secretRef:
name: cert-manager-jenkins-approle
key: secretId
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: jenkins-alpha-local
namespace: jenkins
spec:
secretName: jenkins-alpha-local-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- local
commonName: jenkins.alpha.local
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- jenkins.alpha.local
ipAddresses:
- 192.168.137.3
issuerRef:
name: jenkins-issuer
kind: Issuer
group: cert-manager.io
---
root@k8s-master:~# kubectl describe secret jenkins-alpha-local-tls -n jenkins
Name: jenkins-alpha-local-tls
Namespace: jenkins
Labels: controller.cert-manager.io/fao=true
Annotations: cert-manager.io/alt-names: jenkins.alpha.local
cert-manager.io/certificate-name: jenkins-alpha-local
cert-manager.io/common-name: jenkins.alpha.local
cert-manager.io/ip-sans: 192.168.137.3
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-name: jenkins-issuer
cert-manager.io/subject-countries: RU
cert-manager.io/subject-localities: Moskow
cert-manager.io/subject-organizationalunits: local
cert-manager.io/subject-organizations: alpha.local
cert-manager.io/subject-provinces: Moskow State
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
ca.crt: 1229 bytes
tls.crt: 2847 bytes
tls.key: 1679 byte
---
root@k8s-master:~# openssl s_client --connect 192.168.137.3:30443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 O = Local org, CN = CA ALPHA INT ISTIO X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, ST = Moskow State, L = Moskow, O = alpha.local, OU = local, CN = jenkins.alpha.local
verify return:1
---
Certificate chain
0 s:C = RU, ST = Moskow State, L = Moskow, O = alpha.local, OU = local, CN = jenkins.alpha.local
i:O = Local org, CN = CA ALPHA INT ISTIO X1
1 s:O = Local org, CN = CA ALPHA INT ISTIO X1
i:C = RU, O = Local org, CN = CA ALPHA X1
---
The text was updated successfully, but these errors were encountered:
Good afternoon, I have configured the cluster by default, I sign the certificate in vault, tls.crt appears in the secret - in which the certificate itself and the issuer. ca.crt - in which the root-CA signed the issuer. And also tls.key. If you add this certificate to the gateway istio, then the site will return only the server and publisher certificate, without the root-CA - it turns out istio does not read the ca.crt file, and in order for the site to have a complete chain - you need to edit tls.crt and add it contains the contents of ca.crt. You can somehow implement it in cert-managere - adding the contents of ca.crt to tls.crt.
I have a hypothesis that tls.crt is formed from the Vault response - issuing_ca+certificate. Is it possible to make an option in which tls.crt = certificate+ca_chain?
The text was updated successfully, but these errors were encountered: