Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GenCSRTemplate #42004

Closed
liuqi-sun opened this issue Nov 15, 2022 · 7 comments
Closed

GenCSRTemplate #42004

liuqi-sun opened this issue Nov 15, 2022 · 7 comments
Labels
lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while

Comments

@liuqi-sun
Copy link

I changed the Organization and CommonName fields, but they were not in the generated certificate.As follows:

image

The Subject field in the certificate is still the URI in the Subject Alternative Name. As follows:
image

Please help me, thank you
@chaunceyjiang
Copy link
Member

Can you give me a minimum reproduce step?

@liuqi-sun
Copy link
Author

liuqi-sun commented Nov 15, 2022
edited

Can you give me a minimum reproduce step?

It's easy

  1. Set IsDualUse to true
  2. Modify the GenCSRTemplate function as shown in the image above
  3. istio-sidecar-injector cm Sets env OUTPUT_CERTS

@howardjohn
Copy link
Member

This is the template - Istio only extracts certain fields from it, it doesn't allow arbitrary CSRs.

@liuqi-sun
Copy link
Author

This is the template - Istio only extracts certain fields from it, it doesn't allow arbitrary CSRs.
thank you.
I can't find the relevant logic in istiod source code, can you tell me which file? In addition, I modified the URI of CSR, but the URI in the generated certificate remains unchanged. Will istiod rewrite the URI in the certificate?

@liuqi-sun
Copy link
Author

This is the template - Istio only extracts certain fields from it, it doesn't allow arbitrary CSRs.
image

As shown in the figure above, the URI and Subject in the generated certificate should be caller.Identities?

@istio-policy-bot
Copy link

🧭 This issue or pull request has been automatically marked as stale because it has not had activity from an Istio team member since 2022-11-16. It will be closed on 2023-03-01 unless an Istio team member takes action. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Feb 14, 2023
@howardjohn
Copy link
Member

Yes. See #42114 for FR for customization

@howardjohn howardjohn closed this as not planned Won't fix, can't repro, duplicate, stale Feb 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@howardjohn @chaunceyjiang @liuqi-sun @istio-policy-bot