New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Vault as an issuer doesn't work #105
Comments
Hi @SantiMunoz, can you please confirm that the signed certificates have both "client auth", and "server auth" key usages set. This is configured through vault. |
Hello @JoshVanL, thanks for the quick response! ~ vault write dynamic/certificates/internal_ca_dev/issue/kubernetes common_name=www.example.com ttl=72h
.......
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
........ I can't find the way to check this for the CSRs from istio as I don't find them in the kubernetes cluster. |
If you enable the It could also potentially be a CA problem. Is the CA that is distributed within the configmaps in every namespace what you are expecting? |
This is an example of the CSR for the
The certificate signed by Vault we can see the following data, and signed by the correct intermediate:
In all the namespaces I can see the |
Hmm, could you check that you have the correct certificate chain you are expecting on the istio proxy itself? You should have the full chain, including the root in the chain, and the root in the root cert field.
|
I've managed to fix it! After redeploying istio-csr pinning the root CA I can correctly see the CA propagated to |
No problem @SantiMunoz, glad you got things working!
This is actually coming from Vault. By default, Vault will only respond with the intermediate when a request is signed through cert-manager. It is possible to make Vault return the full chain, but this method works equally well :) |
@SantiMunoz I'm having the same problem, but I'm using an external issuer, can you show me the configuration to do this: |
Using Vault as an issuer doesn't seem to generate correct certificates for the pods. When I try to make a request from one service to another I get this error:
The Vault issuer is correctly installed and istio has been installed pointing to the istio-csr service as described in the README of this repository.
~ kubectl get clusterissuers -n cert-manager -o wide NAME READY STATUS AGE vault-issuer True Vault verified 3d21h
In the istiod logs I can see how the Vault CA is correctly loaded
In the istio-csr logs I can see the following message. I'm not sure if the namespace defined here is right or not, istio-csr is in the
cert-manager
ns, while istiod is inistio-system
and productpage in thedefault
namespace.Another interesting fact is that when I sniff the traffic in the istio-proxy sidecars of the origin and destination pods I can see the request's body and response encrypted, but the client still reporting the
CERTIFICATE_VERIFY_FAILED
issue.I'm using cert-manager 1.5.3, istio-csr 0.3.0 and Kubernetes 1.20.5
The text was updated successfully, but these errors were encountered: