linkerd2 icon indicating copy to clipboard operation
linkerd2 copied to clipboard

Published 20 hours ago verified publisher icon linkerd

duplicated copies of trust anchor certificate

Open duxing opened this issue 8 months ago • 1 comments

What problem are you trying to solve?

I followed this guide to set up automatic control plane tls cert rotations and it's working as expected. however, after linkerd-control-plane is installed, I noticed that the trust anchor certificate has multiple copies on k8s:

  • kind: Secret (name: linkerd-trust-anchor) from this step
  • kind: ConfigMap (name: linkerd-identity-trust-roots) from helm install/upgrade: --set-file identityTrustAnchorsPEM=<path_to_ca_cert>, which I believe lead to the creation of this ConfigMap object

How should the problem be solved?

Would it be possible to include a feature in the helm chart to allow reading trust anchor cert from an existing TLS-typed secret on k8s? or even generalize that to support "external trust anchor", fetching from a few different options, where existing k8s secret is one of them.

identityTrustAnchorsPEM will continue to be supported, I just want to ask more options to set it up.

Any alternatives you've considered?

going through the latest helm chart values, I don't see any options to specify an alternative way to pass in trust anchor other than using identityTrustAnchorsPEM.

pardon my limited knowledge on linkerd: I'm not 100% sure if this doable with the current version of linked chart, please correct me if I'm wrong.

How would users interact with this feature?

No response

Would you like to work on this feature?

None

duxing avatar Jun 13 '24 16:06 duxing