linkerd2 icon indicating copy to clipboard operation
linkerd2 copied to clipboard
verified publisher icon linkerd

Make helm create needed certificates with hooks automatically

Open mladedav opened this issue 3 years ago • 2 comments

What problem are you trying to solve?

Easier and automated provisioning of clusters with linkerd.

How should the problem be solved?

Add a helm installation hook that creates the certificate automatically

Any alternatives you've considered?

Automating this before helm install. Which is fine if the maintainers here don't think there is much gain in this.

How would users interact with this feature?

They wouldn't by default, they just wouldn't have to do manual certificate creation in case of installation through helm.

Would you like to work on this feature?

yes

mladedav avatar Jun 28 '22 16:06 mladedav

The Linkerd Helm charts do not generate certificates automatically because Linkerd requires ECDSA certificates and, at the time that the Helm charts were created, Helm did not have any libraries for generating this type of cert. It seems like maybe Helm now has support for ECDSA (http://masterminds.github.io/sprig/crypto.html) and we may be able to implement this. Further investigation is required.

adleong avatar Jul 01 '22 18:07 adleong

I'd like to emphasize that it's actually important that this be implemented with helm hooks, and not naively as a regular Secret resource the way the proxy-injector webhook cert is currently generated. If you take a naïve approach to generating certificates with Helm, you end up in a situation where every time you update your installation (to update to a new version of Linkerd, say, or to change some configuration property completely unrelated to the certificates), Helm will go ahead and replace all your certificates.

This already happens in the current chart version with the proxy injector certificates, which isn't a functional problem but it is annoying (you'll see changes pending every time you run use helm diff, for example, unless you skip the automatically-generated certificates and just specify them yourself manually). For the trust root, though, that's not going to fly.

A hook-based solution could have a pre-install hook that runs a script which checks for the presence of the certificate and only creates one if it doesn't already exist. The hook based solution isn't without it's downsides either, but they're relatively minor, and certainly less problematic than Helm trying to replace the trust anchor every time it runs.

philomory avatar Sep 09 '22 01:09 philomory

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 08 '22 17:12 stale[bot]