Trust in Linkerd
Although I got Linkerd installed in the Kubernetes cluster I’m rebuilding, it couldn’t load the trust anchor:
Outputtime="2021-08-29T19:03:05Z" level=info msg="running version stable-2.10.2" time="2021-08-29T19:03:05Z" level=fatal msg="Failed to load trust anchors: not a PEM certificate"
Given that I generated the certificate by following the
documentation
and removed the final newline even though that shouldn’t be
necessary, I was quite puzzled. I had no trouble
decoding the contents of the tls.crt
key as a PEM certificate outside the cluster.
The problem turned out to be that, because I used Kustomize’s replacements
to set the
parameter,
the value it got was the Base64-encoded value from the Secret, not the plain text. Since this was
the public half of the certificate, I could safely decode it and place it in a
ConfigMap
to pass to Linkerd instead. I did have to keep the Secret around as well for other reasons.
PR #6455 being merged eventually allowed me
to dispense with replacements
. I switched to using identity.externalCA
with the existing
ConfigMap.
There’s unfortunately a dash of duplication since I had to preserve the public key in the TLS
Secret as well.
For future reference, creating root certificates with step is easy on Windows too with Docker:
PowerShell# The duration must be expressed in Go style, like 1s or 7d.
docker run -it --rm -v "$(pwd):/home/step" smallstep/step-cli step certificate create $DOMAIN_NAME /home/step/ca.crt /home/step/ca.key --profile root-ca --no-password --insecure --not-after $DURATION