Document / improve that sometimes the issuer needs to set ca.crtΒ #283
Description
istio-csr has a Helm value for specifying a file from which root CAs should be read.
We document that that file is optional, which is correct. If the file is not provided istio-csr defaults to falling back to using ca.crt from whatever cert gets issued for the serving cert.
This root is used to verify incoming client certificates.
If no root CAs file was provided and no ca.crt is provided, users will see an error like failed to fetch initial serving certificate: root CA certificate is not defined
This has a couple of problems:
- The error talks about fetching the serving certificate, but it was actually fetched successfully. This is a configuration error, not an error with fetching that certificate.
- We don't document that we require at least one of a root CAs file or
ca.crtto be present - Falling back to
ca.crtis highly dangerous and something we wouldn't recommend elsewhere because it makes root rotation much more difficult (or impossible) to do safely - Not everything sets
ca.crt- it's something we'd rather get rid of and issuer-lib discourages its use.
We should firstly improve our documentation around this, and maybe think of other ways we can improve this situation