Although I got Linkerd installed in the Kubernetes cluster I’m rebuilding, it couldn’t load the trust anchor:

Outputtime="2021-08-29T19:03:05Z" level=info msg="running version stable-2.10.2"
time="2021-08-29T19:03:05Z" level=fatal msg="Failed to load trust anchors: not a PEM certificate"

Given that I generated the certificate by following the documentation and removed the final newline even though that shouldn’t be necessary, I was quite puzzled. I had no trouble decoding the contents of the tls.crt key as a PEM certificate outside the cluster.

The problem turned out to be that, because I used Kustomize’s replacements to set the parameter, the value it got was the Base64-encoded value from the Secret, not the plain text. Since this was the public half of the certificate, I could safely decode it and place it in a ConfigMap to pass to Linkerd instead. I did have to keep the Secret around as well for other reasons.

PR #6455 being merged eventually allowed me to dispense with replacements. I switched to using identity.externalCA with the existing ConfigMap. There’s unfortunately a dash of duplication since I had to preserve the public key in the TLS Secret as well.

For future reference, creating root certificates with step is easy on Windows too with Docker:

PowerShell# The duration must be expressed in Go style, like 1s or 7d.
docker run -it --rm -v "$(pwd):/home/step" smallstep/step-cli step certificate create $DOMAIN_NAME /home/step/ca.crt /home/step/ca.key --profile root-ca --no-password --insecure --not-after $DURATION

Next in series: (#9 in The Death and Rebirth of a Cluster)