Trust in Linkerd
Although I got Linkerd installed in the Kubernetes cluster I’m rebuilding, it couldn’t load the trust anchor:
Outputtime="2021-08-29T19:03:05Z" level=info msg="running version stable-2.10.2" time="2021-08-29T19:03:05Z" level=fatal msg="Failed to load trust anchors: not a PEM certificate"
Given that I generated the certificate by following the
and removed the final newline even though that shouldn’t be
necessary, I was quite puzzled. I had no trouble
decoding the contents of the
tls.crt key as a PEM certificate outside the cluster.
The problem turned out to be that, because I used Kustomize’s
replacements to set the
the value it got was the Base64-encoded value from the Secret, not the plain text. Since this was
the public half of the certificate, I could safely decode it and place it in a
to pass to Linkerd instead. I did have to keep the Secret around as well for other reasons.
PR #6455 being merged eventually allowed me
to dispense with
replacements. I switched to using
identity.externalCA with the existing
There’s unfortunately a dash of duplication since I had to preserve the public key in the TLS
Secret as well.
For future reference, creating root certificates with step is easy on Windows too with Docker:
# The duration must be expressed in Go style, like 1s or 7d. docker run -it --rm -v "$(pwd):/home/step" smallstep/step-cli step certificate create $DOMAIN_NAME /home/step/ca.crt /home/step/ca.key --profile root-ca --no-password --insecure --not-after $DURATION
Next in series: The Abandoned Argo CD Git Webhook(#9 in The Death and Rebirth of a Cluster)