Why my certificate request is not automatically approved? Generic docs lacks Insifical's RBAC settings specific to the PKI Issuer.

[qdrddr]

When I deployed infisical with the issuer-controller-manager to integrate with cert-manager in my k8s.
Container images:

• infisical/infisical:v0.112.0-postgres
• infisical/pki-issuer:v0.1.3

When I deploy this certificate (Using argoCD):

---
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: skynet-infisical-rah-rsa2048
    namespace: infisical-system
spec:
  dnsNames:
    - skynet-infisical-rah-rsa2048
  commonName: skynet-infisical-rah-rsa2048 # the common name for the certificate
  secretName: skynet-infisical-rah-rsa2048-tls # the name of the Kubernetes Secret to create and store the certificate and private key in
  issuerRef:
    name: issuer-infisical-rah-rsa2048
    group: infisical-issuer.infisical.com
    kind: Issuer
    namespace: infisical-system
  privateKey: # the algorithm and key size to use
    algorithm: RSA
    #size: 256
    size: 2048
  duration: 48h # the ttl for the certificate
  renewBefore: 12h # the time before the certificate expiry that the certificate should be automatically renewed

Using this PKI-issuer I was trying certificateTemplateId & caId, root & Intermediate CA:

apiVersion: infisical-issuer.infisical.com/v1alpha1
kind: Issuer
#kind: ClusterIssuer
metadata:
    #name: issuer-infisical-cluster
    name: issuer-infisical-rah-rsa2048
    namespace: infisical-system
spec:
    #url: "https://infisical.mywebsite.co" # the URL of your Infisical instance
    url: "http://infisical-infisical.infisical-system.svc.cluster.local:8080" # the URL of your Infisical instance
    
    # you should only fill in the caId or the certificateTemplateId field but not both!!!!
    caId: e4630169 # the ID of the CA you want to use to issue certificates
    
    # you should only fill in the caId or the certificateTemplateId field but not both!!!!
    # https://infisical.mywebsite.co/cert-mgr/e7a786c/ca/b0479d93
    #certificateTemplateId: cfa567c8 # the ID of the certificate template you want to use to issue certificates against
    authentication:
        universalAuth:
            # https://infisical.mywebsite.co/organization/identities/351f9800
            clientId: 54267ea # the Client ID from step 1
            secretRef: # reference to the Secret created in step 4
                name: "issuer-infisical-client-secret"
                key: "clientSecret"

In the issuer controller's logs, I see the strange message CertificateRequest has not been approved yet, and my certificate never gets to the ready status.

"CertificateRequest has not been approved yet. Ignoring.","controller":"certificaterequest","controllerGroup":"cert-manager.io","controllerKind":"CertificateRequest","CertificateRequest":{"name":"skynet-infisical-rta-rsa2048-1","namespace":"infisical-system"},"namespace":"infisical-system","name":"skynet-infisical-rta-rsa2048-1","reconcileID":"bfb7cad9-d867-45b5-b3a3-0139e731b7a6"}

In the infisical UI I have:

1. Created CA and Intermediate CA certificates and installed Intermediate with my root CA.
2. Created a template for the root & Intermediate CA.
3. I tried both Intermediate & root CA in my Issuer resource using their templates as well as just root and intermediate CA IDs without templates.
4. The template for intermediate CA has both common name (CN) and Alternative Names (SAN) set to .* with Max TTL 1y, and in the Key Usage, I have selected all possible checkboxes to be checked (including CRL Sign, Certificate Sign and all others).
5. Also I have created a Machine identity cert-manager in the Organization Access Control with the Organization Role Admin
6. In the identity I have set Authentication: Universal Auth, with both Access Token Trusted IPs and Client Secret Trusted IPs set to 0.0.0.0, ::
7. Then I copied the Client ID & created Client Secrets saved into my secret issuer-infisical-client-secret and the Issuer resource.
8. Then I assigned the identity cert-manager to my cert-manager project k8s-so with my root & intermediate CAs with the Project role Admin
9. In the Identity I have also added Project Additional Privileges: Certificate Authorities Actions: Read, Certificates: Actions: Read, Create, Modify, Remove and Certificate Templates: Actions: Read.

Why does the certificate never get approved by the infisical's PKI issuer?

I was following this pki-issuer guide. FYI I think PKI issuer documentation is too generic and lacks Insifical's RBAC settings and explanations specific to the PKI Issuer.

[qdrddr]

I would really appreciate any input

[ndeybach]

Same problem here.

Certificate creation kick starts a CertificateRequest but it never gets approved and there is no event indicating any error or anything useful.

Overall using PKI in a k8s cluster is a bit of a pain (even the official install.yaml needs patches because the docker image version is not correct, like if devs didn't even try). But anyway I digress, the main problem here is just not having a Certificate issued ... like it is supposed to (Issuer is created, pod running).

@sheensantoscapadngan , could you provide input / updates on possible fixes?

@qdrddr, have you found any solution on your side ?

[maidul98]

Hi @qdrddr , the issuer is currently undergoing a revamp. We'll provide more information here once that is released

[maidul98]

@qdrddr, a new issuer update has been made and the full flow should be working https://infisical.com/docs/documentation/platform/pki/pki-issuer