-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request]: Unable to Issue a CA certificate with the desired pathlen constraint value #220
Comments
Hi @find-arka, thanks for the issue. I wouldn't say this is a bug - more of a missing feature. The root of the problem here is that this issuer does not allow users to set the TemplateArn themselves. This is a feature that we have discussed having, but have not committed resources to determine the best method to do so. I will discuss with the team. |
Related: #98 |
Hello @divyansh-gupta, Thank you for the quick response! Looking forward to hearing more about the team-discussion outcomes on this. |
Hi @find-arka, discussed with the team, there are several things we can do here:
We aren't sure which is the right path forward yet, but would love to get your thoughts? |
Hello @divyansh-gupta , Had a discussion with @jmunozro , and we both felt that option 2.a sounds like the best one:
|
Hello @divyansh-gupta , |
Hi @find-arka, we're having discussions as a team, and when we have a path forward we'll update you. If you have solutions we'll be happy to take a look at a pull request. Thanks for checking in! |
Hi @find-arka, we will look into using Kubernetes annotations. With annotations, we think you can pass in the template ARN that you'd like to use. If we're right, then you can specify the a template with the path length that you need. Do you have any thoughts or feedback on our approach? |
Just to add to that, the annotation would be something like:
|
@dcamzn , @divyansh-gupta Thank you for taking the discussion ahead. The annotation approach should work, but we might have to put additional validation to ensure that the generated cert has the right e.g. scenario:
If we have to put in a validation like that, we would have to get the Can we do it this way?
I'm sure some other boundary conditions for this validation need to be present. What do you all think? |
@find-arka thanks for the feedback and reviewing our approach! We agree with you that we need to put additional validations with this approach. We will review validation requirements and come back for your thoughts. |
Describe the expected outcome
RootCACertificate/V1
SubordinateCACertificate_PathLen3/V1
pathlen:3
constraint i.e.Certificate
ofcert-manager.io/v1
). The generated CA certificate has the following constraints-Expected a CA certificate with
pathlen:2
Describe the actual outcome
The generated CA certificate had a
pathlen:0
constraint, instead of the expectedpathlen:2
constraint.Steps to reproduce
Create an EKS Cluster.
Install Cert Manager v1.10.0
You could run this script to create a Root CA and a Subordinate CA- https://raw.githubusercontent.com/find-arka/k8s-misc/main/create-ca-hierarchy-aws-pca.sh
With the output from the script, save the Intermediate CA ARN in an environment variable-
export CA_ARN=arn:aws:acm-pca:REDACTED:REDACTED-AC:certificate-authority/REDACTED
Verify:
Expected output:
my-internal-ca-cert-manager-tls-crt.pem
has the CA cert chained with the Issuer. Extract the top section from the pem file and copy it to a different file. I named itgenerated-ca-cert.pem
openssl x509 -in generated-ca-cert.pem -noout -text | grep -A3 Constraint
Subordinate CA cert has
pathlen:3
but the generated CA cert from that CA cert doesn't havepathlen:2
, instead it haspathlen:0
Relevant log output
N/A. Have already attached the expected output along with the commands in the above section.
Version
Cert Manager ->
v1.10.0
aws-privateca-issuer->
v1.2.2
Kubernetes ->
1.22
Amazon EKS platform version ->
eks.6
Have you tried the following?
Category
Supported Workflow Broken
Severity
Severity 3
The text was updated successfully, but these errors were encountered: