Don't bundle the CA certificate when selfsigned

cert-manager · Aug 10, 2018 · 478e0d8 · 478e0d8
1 parent 6308c7b
commit 478e0d8
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go
@@ -123,10 +123,14 @@ func SignCertificate(template *x509.Certificate, issuerCert *x509.Certificate, p
 		return nil, nil, fmt.Errorf("error encoding certificate PEM: %s", err.Error())
 	}
 
-	// bundle the CA
-	err = pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: issuerCert.Raw})
-	if err != nil {
-		return nil, nil, fmt.Errorf("error encoding issuer cetificate PEM: %s", err.Error())
+	// don't bundle the CA for selfsigned certificates
+	// TODO: better comparison method here? for now we can just compare pointers.
+	if issuerCert != template {
+		// bundle the CA
+		err = pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: issuerCert.Raw})
+		if err != nil {
+			return nil, nil, fmt.Errorf("error encoding issuer cetificate PEM: %s", err.Error())
+		}
 	}
 
 	return pemBytes.Bytes(), cert, err