Summary
When TLS is enabled, the operator submits a certificate request whose DNS names includes short-name SANs (no namespace qualifier or no cluster domain suffix). Some enterprise PKI systems reject CSRs containing short-name SANs. This makes TLS impossible to use with these signers even though the operator already generates fully-qualified alternatives.
Root cause
GetCertificateSans func unconditionally appends short names.
Could we add a flag spec.tls.fqdnOnly or something appropriate to generate SANs with fqdn only?
Is this a feature you are interested in implementing yourself?
Yes
Anything else?
No response
Summary
When TLS is enabled, the operator submits a certificate request whose DNS names includes short-name SANs (no namespace qualifier or no cluster domain suffix). Some enterprise PKI systems reject CSRs containing short-name SANs. This makes TLS impossible to use with these signers even though the operator already generates fully-qualified alternatives.
Root cause
GetCertificateSans func unconditionally appends short names.
Could we add a flag
spec.tls.fqdnOnlyor something appropriate to generate SANs with fqdn only?Is this a feature you are interested in implementing yourself?
Yes
Anything else?
No response