Skip to:
Operator requests cert-manager to generate server certificates with IsCA: True set, which is not correct for server certificates.
IsCA: True
kubeCert := &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: cr.Name + "-ssl", Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ SecretName: cr.Spec.PXC.SSLSecretName, CommonName: cr.Name + "-proxysql", DNSNames: []string{ cr.Name + "-pxc", cr.Name + "-proxysql", "*." + cr.Name + "-pxc", "*." + cr.Name + "-proxysql", }, IsCA: true, IssuerRef: cmmeta.ObjectReference{ Name: issuerName, Kind: issuerKind, Group: issuerGroup, }, }, }
— https://github.com/percona/percona-xtradb-cluster-operator/blob/main/pkg/controller/pxc/tls.go#L111-L132
kubeCert = &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: cr.Name + "-ssl-internal", Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ SecretName: cr.Spec.PXC.SSLInternalSecretName, CommonName: cr.Name + "-pxc", DNSNames: []string{ cr.Name + "-pxc", "*." + cr.Name + "-pxc", cr.Name + "-haproxy-replicas." + cr.Namespace + ".svc.cluster.local", cr.Name + "-haproxy-replicas." + cr.Namespace, cr.Name + "-haproxy-replicas", cr.Name + "-haproxy." + cr.Namespace + ".svc.cluster.local", cr.Name + "-haproxy." + cr.Namespace, cr.Name + "-haproxy", }, IsCA: true, IssuerRef: cmmeta.ObjectReference{ Name: issuerName, Kind: issuerKind, Group: issuerGroup, }, }, }
— https://github.com/percona/percona-xtradb-cluster-operator/blob/main/pkg/controller/pxc/tls.go#L147-L172
IsCa is defined as:
IsCa
// IsCA will mark this Certificate as valid for certificate signing. // This will automatically add the `cert sign` usage to the list of `usages`.
Hi,
The issue was fixed and will be available in the next PXC operator release.
Operator requests cert-manager to generate server certificates with
IsCA: Trueset, which is not correct for server certificates.kubeCert := &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: cr.Name + "-ssl", Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ SecretName: cr.Spec.PXC.SSLSecretName, CommonName: cr.Name + "-proxysql", DNSNames: []string{ cr.Name + "-pxc", cr.Name + "-proxysql", "*." + cr.Name + "-pxc", "*." + cr.Name + "-proxysql", }, IsCA: true, IssuerRef: cmmeta.ObjectReference{ Name: issuerName, Kind: issuerKind, Group: issuerGroup, }, }, }— https://github.com/percona/percona-xtradb-cluster-operator/blob/main/pkg/controller/pxc/tls.go#L111-L132
kubeCert = &cm.Certificate{ ObjectMeta: metav1.ObjectMeta{ Name: cr.Name + "-ssl-internal", Namespace: cr.Namespace, }, Spec: cm.CertificateSpec{ SecretName: cr.Spec.PXC.SSLInternalSecretName, CommonName: cr.Name + "-pxc", DNSNames: []string{ cr.Name + "-pxc", "*." + cr.Name + "-pxc", cr.Name + "-haproxy-replicas." + cr.Namespace + ".svc.cluster.local", cr.Name + "-haproxy-replicas." + cr.Namespace, cr.Name + "-haproxy-replicas", cr.Name + "-haproxy." + cr.Namespace + ".svc.cluster.local", cr.Name + "-haproxy." + cr.Namespace, cr.Name + "-haproxy", }, IsCA: true, IssuerRef: cmmeta.ObjectReference{ Name: issuerName, Kind: issuerKind, Group: issuerGroup, }, }, }— https://github.com/percona/percona-xtradb-cluster-operator/blob/main/pkg/controller/pxc/tls.go#L147-L172
IsCais defined as:// IsCA will mark this Certificate as valid for certificate signing. // This will automatically add the `cert sign` usage to the list of `usages`.