New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TPP Allowed Domains can cause valid certificate to error #5171
Comments
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
/remove-lifecycle stale |
Confirmed this is still an issue in Cert-manager v1.11.0 with Venafi Enhanced Issuer installed as well. test domain: .vendev From: venafi-enhanced-issuer.jetstack.io Failed to sign CertificateRequest, will retry: failed to request venafi certificate: common name certificate5.vendev is not allowed in this policy: [^([\p{L}\p{N}-*]+\.)*\.vendev$] |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
Rotten issues close after 30d of inactivity. |
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Describe the bug:
When setting TPP domain whitelisting inside a policy, sometimes people put
.<domain>
in the "Allowed Domains" field. This works and is valid in TPP and works withvcert
when requesting or renewing certificates. But when cert-manager tries to request against the same policy, you get an error to the effect of:Picture of policy domain settings in my test setup:
So when set to
.sitaram-iyer-gcp.jetstacker.net
you get the message in the cert / cr in cluster.When set to just
sitaram-iyer-gcp.jetstacker.net
then everything works as expected in cert-manager / in cluster.Both cases work for TPP and
vcert
though,Expected behaviour:
Both cases should work with cert-manager.
Steps to reproduce the bug:
.<domain>
.test.<domain>
Anything else we need to know?:
You won't see anything in the certificate log in TPP for this even though it appears as a TPP policy rejection.
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: