You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Add support to the EKS CA to create certificates with SANs extensions
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We would like to create mTLS certs for pods operating as part of a cluster that needs to communicate peer to peer. At the minimum, the pods need to be able to identify as the service's DNS, and the pod's DNS. This can't be done using the EKS CA right now because it ignores the SAN x509 extension. Even if the CSR contains SANs, the signed cert generated by the CA drops them.
Community Note
Tell us about your request
Add support to the EKS CA to create certificates with SANs extensions
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We would like to create mTLS certs for pods operating as part of a cluster that needs to communicate peer to peer. At the minimum, the pods need to be able to identify as the service's DNS, and the pod's DNS. This can't be done using the EKS CA right now because it ignores the SAN x509 extension. Even if the CSR contains SANs, the signed cert generated by the CA drops them.
Are you currently working around this issue?
There are a few non-ideal workarounds, see
cloudfoundry-incubator/quarks-operator@cbab593
pingcap/tidb-operator#1685
Both seem to require modifying the application to use an alternative TLS verification scheme.
Additional context
This issue was raised here as well awslabs/amazon-eks-ami#341.
The text was updated successfully, but these errors were encountered: