palimarium
commented
3 years ago Hi @perezjasonr
Thanks for opening this issue, yes, you're right I'm going to remove that paragraph and update the doc since that is not the case here, I'm not creating any new ca and new issuer.
As you can see in step 2) of the istio-csr installation I'm telling istio-csr(--set certificate.name=vault-istio-ca1-issuer) to use the intermediate ca's issuer that I have created in the cert-manager section.
By checking the istio-ca-root-cert and certificaterequests we can see that is the same root-ca that we have created previously in the vault pki section
❯ kubectl get cm istio-ca-root-cert -o jsonpath="{.data['root-cert\.pem']}" | step certificate inspect -
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 482710185528616044726601484651813304223265585800 (0x548d792c6ee3fae08ec66e8c57e07b4144ddfa88)
Signature Algorithm: SHA256-RSA
Issuer: CN=istio-ca-vault
Validity
Not Before: May 10 19:50:37 2021 UTC
Not After : May 8 19:51:06 2031 UTC
Subject: CN=istio-ca-vault
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (2048 bit)
❯ openssl x509 -in CA_cert.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
54:8d:79:2c:6e:e3:fa:e0:8e:c6:6e:8c:57:e0:7b:41:44:dd:fa:88
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = istio-ca-vault
Validity
Not Before: May 10 19:50:37 2021 GMT
Not After : May 8 19:51:06 2031 GMT
Subject: CN = istio-ca-vault
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
❯ kubectl get certificaterequest -A --all-namespaces
NAMESPACE NAME APPROVED DENIED READY ISSUER REQUESTOR AGE
istio-system cert-manager-istio-csr-9h5kw True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager-istio-csr 62m
istio-system istio-5gz7t True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager-istio-csr 32m
istio-system istio-lzz78 True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager-istio-csr 57m
istio-system istio-mvsx2 True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager-istio-csr 18m
istio-system istio-px2mn True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager-istio-csr 33m
istio-system istio-srv44 True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager-istio-csr 42m
istio-system istiod-6cbmr True True vault-istio-ca2-issuer system:serviceaccount:cert-manager:cert-manager 62m
perezjasonr
In the istio-csr section you reference the official docs bootstrap example: https://github.com/cert-manager/istio-csr/blob/master/hack/demo/cert-manager-bootstrap-resources.yaml
but this is creating a new ca and new issuer, this seems to go against your diagram where its the intermediate ca being referenced is from the vault.
So did you more or less follow that bootstrap or did you tell istio-csr to use the intermediate ca's you created during pki section? if you did the latter what did that look like because I'm having trouble connecting the dots here, the main reason i could see to do a new Certificate with isCA: true referencing the issuer created during cert manager section is that ca (istio-ca) is made as a secret which can be used by istio-csr. So Im a little lost at this part because that bootstrap resources example seems to be made for a vault-less scenario.
Btw, it goes without saying this is an amazing guide though.