Open neerajaustin opened 3 years ago
JoshVanL
commented
3 years ago Hi @neerajaustin, glad you like the project :)
istio-csr acts as the RA for istio which will hand off requests to the configured cert-manager CA once it's happy. Since we can't mangle the request or sign what we want like the CA can, we can't add any extras to the request. This would need to be configured on the istio side which I'm not sure can be done.
lokeshwaran100
commented
3 years ago Hi @JoshVanL, istio-csr actually checks for the presence of SAN field for the incoming CSR from the workload and aborting the operation, if it contains any SAN fields. Why so? Any specific reason behind this check?
// if the csr contains any other options set, error
if len(csr.DNSNames) > 0 || len(csr.IPAddresses) > 0 ||
len(csr.Subject.CommonName) > 0 || len(csr.EmailAddresses) > 0 {
log.Error(errors.New("forbidden extensions"), "",
"dns", csr.DNSNames,
"ips", csr.IPAddresses,
"common-name", csr.Subject.CommonName,
"emails", csr.EmailAddresses)
return identities, false`
}@lokeshwaran100 istio-csr is responsible for verifying whether the contents of the incoming CSR matches the requestors identity. In istio, this maps a Kubernetes ServiceAccount into a spiffe ID as a URI SANs. I would be interested in the use case for wanting other SANs in istio workloads certificates, and how istio-csr can safely verify they match these identities before signing.
lokeshwaran100
commented
3 years ago @JoshVanL: The use case that I'm looking for, where the certificate SAN (identity) needs to be set to 5G NF FQDN (or IP) for inter NF communication as per 3GPP 33.310. Do you think that is possible to implement in istio-csr? Or this has to be done from the istio side?
We have an application where the DNS in subject or san is validated when checking the communcation with mounted istio-proxy certs. I noticed that Istio used to have the DNS field in the SAN but now its only the URI.
I have tried istio-csr and I like that you can control the issuer and renew the CA certificates but can we use a specific workload certificate configuration as well to include DNS in the SAN?