JoshVanL
commented
3 years ago Thanks @bpotaczek! It is surprising to me that this works as the istio workloads themselves using the same Issuer don't have a CommonName set IIRC.
Open bpotaczek opened 3 years ago
JoshVanL
commented
3 years ago Thanks @bpotaczek! It is surprising to me that this works as the istio workloads themselves using the same Issuer don't have a CommonName set IIRC.
assafmanzur
commented
3 years ago @bpotaczek Can help? I'm getting api error ValidationException: 1 validation error detected: Value '0' at 'validity.value' failed to satisfy constraint: Member must have value greater than or equal to 1 when using AWSPCAClusterIssuer as issuer. the cert manager works fine outside the istio-csr
can you please upload the certificate.yaml and is there any custom values except those?
issuer:
# -- Issuer name set on created CertificateRequests for both istio-csr's
# serving certificate and incoming gRPC CSRs.
name: private-root-ca
# -- Issuer kind set on created CertificateRequests for both istio-csr's
# serving certificate and incoming gRPC CSRs.
kind: AWSPCAClusterIssuer
# -- Issuer group name set on created CertificateRequests for both
# istio-csr's serving certificate and incoming gRPC CSRs.
group: awspca.cert-manager.ioThanks
bpotaczek
commented
3 years ago @assafmanzur that looks to be a different error. For testing you can use one of the example certs from the aws-pca project.
assafmanzur
commented
3 years ago thanks @bpotaczek, Seems like the format of the duration 1h was the issue.. after updating to 2160h0m0s the certificateRequest was updated to true but now can't find where do I update the subject or change it to SAN
CSR must mark the SAN extension critical when it has an empty subject.
AWS PCA expects the commonName to be passed in as part of the CSR. Adding
commonName: istiod.istio-system.svcin the Certificate.yaml file was all that was needed.I don't mind creating a PR for this so let me know if that is preferred.