Martin Corriveau
Martin Corriveau
Add the same problem. A major one ! It have generated so much certificaterequest that it cause etcd problem (grownth and performance) and make some of our clusters to crash...
I will go, with a concrete example of my config and my route with cert-manager 1.6.1 kind: route annotations: cert-utils-operator.hydroquebec.com/certs-from-secret: cert-secret cert-utils-operator.hydroquebec.com/destinationCA-from-secret: cert-secret kind: secret cert-secret (secret created by cert-manager)...
I will go, with a concrete example of my config and my route with cert-manager 1.6.1 kind: route annotations: cert-utils-operator.hydroquebec.com/certs-from-secret: cert-secret cert-utils-operator.hydroquebec.com/destinationCA-from-secret: cert-secret kind: secret cert-secret (secret created by cert-manager)...
I will go, with a concrete example of my config and my route with cert-manager 1.6.1 kind: route annotations: cert-utils-operator.hydroquebec.com/certs-from-secret: cert-secret cert-utils-operator.hydroquebec.com/destinationCA-from-secret: cert-secret kind: secret cert-secret (secret created by cert-manager)...
Identation not good...
Hope you'll understand the explanation.
The point is how can you polulate the fullchain (root/sub) together by using cert-util-operator if cert-manager secret separate root and sub.
Yes we got the ca.crt (containing only public root cert) With cert-manager 1.2.0 we were not using inject-CA annotation because full chain certificate were avalaible in tls.crt, so we were...
You're right, ca.crt et tls.crt is a merge of the signe certificate with it's CA. The CA chain must stay together. I should have in ocp route, sub and root...
How we succeeded to solve this issue. We fork the cert-util-operator code to manipulate certificate in the route. We now always use inject-CA : true in our route. The new...