mirror of https://github.com/linkerd/linkerd2.git
remove check comparing ca.crt field in identity issuer secret and trust anchors in config (#5424)
Currently the CA bundles in the config value `global.IdentityTrustAnchorsPEM` must not contain more than one certificate when the schema type is set to `kubernetes.io/tls` or the command `linkerd check` will fail. This change remove the comparison between the trust anchors configured in the linkerd config map and the contents of the `ca.crt` field of the identity issuer K8s secret. This is an alternative to MR #5396, which I will close as a result of the discussion with @adleong Fixes #5292 Signed-off-by: Lutz Behnke <lutz.behnke@finleap.com>
This commit is contained in:
Lutz Behnke
GitHub
parent
d7557cc236
commit
8d50631727
|
|
@ -1625,11 +1625,6 @@ func (hc *HealthChecker) checkCertificatesConfig(ctx context.Context) (*tls.Cred
|
|||
data, err = issuercerts.FetchIssuerData(ctx, hc.kubeAPI, values.GetGlobal().IdentityTrustAnchorsPEM, hc.ControlPlaneNamespace)
|
||||
} else {
|
||||
data, err = issuercerts.FetchExternalIssuerData(ctx, hc.kubeAPI, hc.ControlPlaneNamespace)
|
||||
// ensure trust anchors in config matches what's in the secret
|
||||
if data != nil && strings.TrimSpace(values.GetGlobal().IdentityTrustAnchorsPEM) != strings.TrimSpace(data.TrustAnchors) {
|
||||
errFormat := "IdentityContext.TrustAnchorsPem does not match %s in %s"
|
||||
err = fmt.Errorf(errFormat, k8s.IdentityIssuerTrustAnchorsNameExternal, k8s.IdentityIssuerSecretName)
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -2606,36 +2606,6 @@ func TestLinkerdIdentityCheckCertConfig(t *testing.T) {
|
|||
schemeInConfig: string(corev1.SecretTypeTLS),
|
||||
expectedOutput: []string{"linkerd-identity-test-cat certificate config is valid: key ca.crt containing the trust anchors needs to exist in secret linkerd-identity-issuer if --identity-external-issuer=true"},
|
||||
},
|
||||
{
|
||||
checkDescription: "does not get influenced by newline differences between trust anchors (missing newline in configMap)",
|
||||
tlsSecretScheme: string(corev1.SecretTypeTLS),
|
||||
schemeInConfig: string(corev1.SecretTypeTLS),
|
||||
expectedOutput: []string{"linkerd-identity-test-cat certificate config is valid"},
|
||||
configMapIssuerDataModifier: func(issuerData issuercerts.IssuerCertData) issuercerts.IssuerCertData {
|
||||
issuerData.TrustAnchors = strings.TrimSpace(issuerData.TrustAnchors)
|
||||
return issuerData
|
||||
},
|
||||
},
|
||||
{
|
||||
checkDescription: "does not get influenced by newline differences between trust anchors (extra newline in configMap)",
|
||||
tlsSecretScheme: string(corev1.SecretTypeTLS),
|
||||
schemeInConfig: string(corev1.SecretTypeTLS),
|
||||
expectedOutput: []string{"linkerd-identity-test-cat certificate config is valid"},
|
||||
configMapIssuerDataModifier: func(issuerData issuercerts.IssuerCertData) issuercerts.IssuerCertData {
|
||||
issuerData.TrustAnchors = issuerData.TrustAnchors + "\n"
|
||||
return issuerData
|
||||
},
|
||||
},
|
||||
{
|
||||
checkDescription: "does not get influenced by newline differences between trust anchors (missing newline in secret)",
|
||||
tlsSecretScheme: string(corev1.SecretTypeTLS),
|
||||
schemeInConfig: string(corev1.SecretTypeTLS),
|
||||
expectedOutput: []string{"linkerd-identity-test-cat certificate config is valid"},
|
||||
tlsSecretIssuerDataModifier: func(issuerData issuercerts.IssuerCertData) issuercerts.IssuerCertData {
|
||||
issuerData.TrustAnchors = strings.TrimSpace(issuerData.TrustAnchors)
|
||||
return issuerData
|
||||
},
|
||||
},
|
||||
{
|
||||
checkDescription: "fails when trying to parse trust anchors from secret (extra newline in secret)",
|
||||
tlsSecretScheme: string(corev1.SecretTypeTLS),
|
||||
|
|
|
|||
Loading…
Reference in New Issue