Although I got Linkerd installed in the Kubernetes cluster I’m rebuilding, it couldn’t load the trust anchor:

time="2021-08-29T19:03:05Z" level=info msg="running version stable-2.10.2"
time="2021-08-29T19:03:05Z" level=fatal msg="Failed to load trust anchors: not a PEM certificate"

Given that I generated the certificate by following the documentation and removed the final newline even though that shouldn’t be necessary, I was quite puzzled. I had no trouble decoding the contents of the tls.crt key as a PEM certificate outside the cluster.

The problem turned out to be that, because I used Kustomize’s replacements to set the parameter, the value it got was the Base64-encoded value from the Secret, not the plain text. Since this was the public half of the certificate, I could safely decode it and place it in a ConfigMap to pass to Linkerd instead. I did have to keep the Secret around as well for other reasons.

Next in series: (#9 in The Death and Rebirth of a Cluster)