why do you "chain" the certs yourself

[perezjasonr]

In the vault section when your setting up PKI i notice you have a step where you use cat to chain the certs yourselves.
I'm curious why this is, the vault docs (even the ones that have steps for intermediate ca) seem not to do that and go straight to set-signed.

Does vault not do this part for you? I guess I'm curious because I noticed that difference and...I actually couldn't reach my services until I included that particular step. And yet this begs the question why the vault docs dont do this. Thank you.

[palimarium]

Hi @perezjasonr

Thanks for opening this, it is due to a bug in the cert-manager issuer, which does not include the full CA Chain:

cert-manager/cert-manager#2166
cert-manager/cert-manager#3340
cert-manager/cert-manager#3433

in theory, this should be fixed and return now the full chain, but the last time I tested this was still not working and this is why I had to "build" and import the certificate bundle.

[perezjasonr]

ok thank you this is good to know for my sanity, i thought I was going crazy.

[craftey]

@palimarium Hi, I stumbled over your post. We are currently upgrading for our project our legacy codebase from cert-manager 0.6.6 to 1.6.1, augmented by an update of the k8s vault issuer and k8s certificate resource of our apps. Our issue is not istio related. But we are facing the same issue, that the generated certificate chain in tls.crt does not include the root CA anymore. Your test seem to show the same issue. I am curious, how can we workaround this? Do you have a link to or an explanation of a possible workaround? Thanks for any hints.