-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio + AWS PCA reports - no subject #168
Comments
Hi @tabnul, unfortunately istio-csr isn't able to re-write the contents of the certificate signing request that istio workloads make. To implement this would require either changes in istio, or setting on your issuer (in this case AWS PCA). I'm going to close this for now since there is nothing this project can do. |
/close |
@JoshVanL: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We are using istio together with AWS PCA.
All works fine, certificates get created.
However, AWS PCA reports do not report the SAN attributes, they only log the subject.
This means that when using Istio, this AWS PCA will be full of untraceable certificates. (subject: O=)
While i do understand this is in principle an AWS PCA issue, it would be very handy to have the CN filled in with something relatable to at least the origin K8S cluster.
What can i do to overcome this limitation?
Can i override the certificate requests CN in some way? (without tricks/hacks such as using Open Policy Agent)
The text was updated successfully, but these errors were encountered: