Add CA cert to chain tls.crt

[dispancergit]

Good afternoon, I have configured the cluster by default, I sign the certificate in vault, tls.crt appears in the secret - in which the certificate itself and the issuer. ca.crt - in which the root-CA signed the issuer. And also tls.key. If you add this certificate to the gateway istio, then the site will return only the server and publisher certificate, without the root-CA - it turns out istio does not read the ca.crt file, and in order for the site to have a complete chain - you need to edit tls.crt and add it contains the contents of ca.crt. You can somehow implement it in cert-managere - adding the contents of ca.crt to tls.crt. I have a hypothesis that tls.crt is formed from the Vault response - issuing_ca+certificate. Is it possible to make an option in which tls.crt = certificate+ca_chain?

---
apiVersion: v1
kind: Secret
metadata:
  name: cert-manager-jenkins-approle
  namespace: jenkins
data:
  secretId: ZjIyNmJkNjAtZTM2Ny02ODFiLTk1NTQtMzY1MGU0Y2FjN2E3
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: jenkins-issuer
  namespace: jenkins
spec:
  vault:
    path: int_istio/sign/peer_policy
    server: https://192.168.137.2:8200/
    caBundle: <>
    auth:
      appRole:
        path: approle_ift
        roleId: "a171bec3-c145-a400-99bb-07addaee9f7b"
        secretRef:
          name: cert-manager-jenkins-approle
          key: secretId
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: jenkins-alpha-local
  namespace: jenkins
spec:
  secretName: jenkins-alpha-local-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - local
  commonName: jenkins.alpha.local
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  dnsNames:
    - jenkins.alpha.local
  ipAddresses:
    - 192.168.137.3
  issuerRef:
    name: jenkins-issuer
    kind: Issuer
    group: cert-manager.io
---
root@k8s-master:~# kubectl describe secret jenkins-alpha-local-tls -n jenkins 
Name:         jenkins-alpha-local-tls
Namespace:    jenkins
Labels:       controller.cert-manager.io/fao=true
Annotations:  cert-manager.io/alt-names: jenkins.alpha.local
              cert-manager.io/certificate-name: jenkins-alpha-local
              cert-manager.io/common-name: jenkins.alpha.local
              cert-manager.io/ip-sans: 192.168.137.3
              cert-manager.io/issuer-group: cert-manager.io
              cert-manager.io/issuer-kind: Issuer
              cert-manager.io/issuer-name: jenkins-issuer
              cert-manager.io/subject-countries: RU
              cert-manager.io/subject-localities: Moskow
              cert-manager.io/subject-organizationalunits: local
              cert-manager.io/subject-organizations: alpha.local
              cert-manager.io/subject-provinces: Moskow State
              cert-manager.io/uri-sans: 

Type:  kubernetes.io/tls

Data
====
ca.crt:   1229 bytes
tls.crt:  2847 bytes
tls.key:  1679 byte
---
root@k8s-master:~# openssl s_client --connect 192.168.137.3:30443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 O = Local org, CN = CA ALPHA INT ISTIO X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, ST = Moskow State, L = Moskow, O = alpha.local, OU = local, CN = jenkins.alpha.local
verify return:1
---
Certificate chain
 0 s:C = RU, ST = Moskow State, L = Moskow, O = alpha.local, OU = local, CN = jenkins.alpha.local
   i:O = Local org, CN = CA ALPHA INT ISTIO X1
 1 s:O = Local org, CN = CA ALPHA INT ISTIO X1
   i:C = RU, O = Local org, CN = CA ALPHA X1
---

[inteon]

@dispancergit please take a look at this documentation page: https://cert-manager.io/docs/faq/#why-isnt-my-root-certificate-in-my-issued-secrets-tlscrt

Please reopen the issue if it does not answer your question.