From 2d117be80fd86a3cae0995f7b014a2e4bde6e7a6 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Tue, 3 Nov 2020 03:36:44 +0530 Subject: [PATCH] upgrade: do not use external certs with upgrades (#5166) Currently, For legacy upgrades we are fetching even external certs and using it for upgrades which contradicts the condition at https://github.com/linkerd/linkerd2/blob/master/cli/cmd/options.go#L550 used with install and thus causing errors. Instead we don't retrieve them with upgrades and hence they don't get stored into the config and secrets which seems correct as we do not want to store certs in the config and use them with upgrades when they are created externally. This touches only the upgrade path i.e `fetchIssuers` and would not effect the retrievel of external certs for checks, etc. Signed-off-by: Tarun Pothulapati --- cli/cmd/upgrade_legacy.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cli/cmd/upgrade_legacy.go b/cli/cmd/upgrade_legacy.go index d43a56434..0c4a8f222 100644 --- a/cli/cmd/upgrade_legacy.go +++ b/cli/cmd/upgrade_legacy.go @@ -234,7 +234,9 @@ func fetchIssuer(ctx context.Context, k kubernetes.Interface, trustPEM string, s ) switch scheme { case string(corev1.SecretTypeTLS): - issuerData, err = issuercerts.FetchExternalIssuerData(ctx, k, controlPlaneNamespace) + // Do not return external issuer certs as no need of storing them in config and upgrade secrets + // Also contradicts condition in https://github.com/linkerd/linkerd2/blob/main/cli/cmd/options.go#L550 + return &issuercerts.IssuerCertData{}, nil default: issuerData, err = issuercerts.FetchIssuerData(ctx, k, trustPEM, controlPlaneNamespace) if issuerData != nil && issuerData.TrustAnchors != trustPEM {