-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current trust-bundle (ca-bundle.yaml) produces duplicate root CA entries #119
Comments
Linked to #117 |
Pruning those The redundancy is functionally harmless because Ziti de-duplicates root CAs when they're aggregated to compute the well-known trust bundle that's used by clients to verify Ziti's server certs. I agree the opportunity to optimize here is a more readable and understandable Bundle template and resultant ConfigMap. |
Currently, the ca-bundle has duplicate entries for each Root CA.
Solution:
Remove the following secrets from the trust-bundle:
name: {{ include "ziti-controller.fullname" . }}-ctrl-plane-identity-secret
key: ca.crt
name: {{ include "ziti-controller.fullname" . }}-web-identity-secret
key: ca.crt
name: {{ include "ziti-controller.fullname" . }}-admin-client-secret
key: ca.crt
Also it would be good to directly include the root certs and not the intermediate ones - although this produces the same output , but it improves readability and clarity a lot. So the outcome would be that there are just the Root CA certs for ctrl-plane, web-identity and edge-signing.
The text was updated successfully, but these errors were encountered: