Trust in Linkerd
Although I got Linkerd installed in the Kubernetes cluster I’m rebuilding, it couldn’t load the trust anchor:
time="2021-08-29T19:03:05Z" level=info msg="running version stable-2.10.2" time="2021-08-29T19:03:05Z" level=fatal msg="Failed to load trust anchors: not a PEM certificate"
Given that I generated the certificate by following the
documentation
and removed the final newline even though that shouldn’t be
necessary, I was quite puzzled. I had no trouble
decoding the contents of the tls.crt
key as a PEM certificate outside the cluster.
The problem turned out to be that, because I used Kustomize’s replacements
to set the
parameter,
the value it got was the Base64-encoded value from the Secret, not the plain text. Since this was
the public half of the certificate, I could safely decode it and place it in a
ConfigMap
to pass to Linkerd instead. I did have to keep the Secret around as well for other reasons.