You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to establish trust between a consul connect cluster and a kube cluster.
I'm setting the root-cert in consul connect, and trying to send requests from outside the cluster.
The request are being rejected by the client in the kube cluster - it complains that the CA is invalid. I believe that the reason is that consul doesn't set the cert chain correctly.
in the config dump of the envoy sidecar in consul (i.e. connect envoy -sidecar-for), i see:
Hey there,
We wanted to check in on this request since it has been inactive for at least 60 days.
If you think this is still an important issue in the latest version of Consul
or its documentation please reply with a comment here which will cause it to stay open for investigation.
If there is still no activity on this issue for 30 more days, we will go ahead and close it.
Feel free to check out the community forum as well!
Thank you!
stalebot
added
the
waiting-reply
Waiting on response from Original Poster or another individual in the thread
label
Dec 28, 2019
I'm trying to establish trust between a consul connect cluster and a kube cluster.
I'm setting the root-cert in consul connect, and trying to send requests from outside the cluster.
The request are being rejected by the client in the kube cluster - it complains that the CA is invalid. I believe that the reason is that consul doesn't set the cert chain correctly.
in the config dump of the envoy sidecar in consul (i.e.
connect envoy -sidecar-for
), i see:Note that: the
certificate_chain
contain only the leaf certificate, andtrusted_ca
contains the root and intermediary cert.I would expect that the
certificate_chain
to contain the certs up to the root, and that thetrusted_ca
would only contain the root cert, like so:What is the reason for the current design? Would you consider the suggested change reasonable?
Consul info for both Client and Server
Server \ Client info
The text was updated successfully, but these errors were encountered: