linkerd2

Commit Graph

Author	SHA1	Message	Date
Rafael Fernández López	ba14dc3fc7	Health check: check if proxies trust anchors match configuration (#3524 ) * Health check: check if proxies trust anchors match configuration If Linkerd is reinstalled or if the trust anchors are modified while proxies are running on the cluster, they will contain an outdated `LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS` certificate. This changeset adds support for `linkerd check`, so it checks if there is any proxy running on the cluster, and performing the check against the configuration trust anchor. If there's a failure (considered a warning), `linkerd check` will notify the user about what pods are the offenders (and in what namespace each one is), and also a hint to remediate the issue (restarting the pods). * Add integration tests for proxy certificate check Fixes #3344 Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>	2019-10-15 11:33:09 -07:00
Oliver Gould	e0ba802f80	proxy-identity: Set a CommonName on CSRs (#2626 ) Some CA's (like AWS) require a CN be set on the CSR. This change modifies proxy-identity to set the identity name as the CSR's CommonName. Fixes #2622	2019-04-03 13:54:50 -07:00
Oliver Gould	790c13b3b2	Introduce the Identity controller implementation (#2521 ) This change introduces a new Identity service implementation for the `io.linkerd.proxy.identity.Identity` gRPC service. The `pkg/identity` contains a core, abstract implementation of the service (generic over both the CA and (Kubernetes) Validator interfaces). `controller/identity` includes a concrete implementation that uses the Kubernetes TokenReview API to validate serviceaccount tokens when issuing certificates. This change does NOT alter installation or runtime to include the identity service. This will be included in a follow-up.	2019-03-19 13:58:45 -07:00

Author

SHA1

Message

Date

Rafael Fernández López

ba14dc3fc7

Health check: check if proxies trust anchors match configuration (#3524 )

* Health check: check if proxies trust anchors match configuration

If Linkerd is reinstalled or if the trust anchors are modified while
proxies are running on the cluster, they will contain an outdated
`LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS` certificate.

This changeset adds support for `linkerd check`, so it checks if there
is any proxy running on the cluster, and performing the check against
the configuration trust anchor. If there's a failure (considered a
warning), `linkerd check` will notify the user about what pods are the
offenders (and in what namespace each one is), and also a hint to
remediate the issue (restarting the pods).

* Add integration tests for proxy certificate check

Fixes #3344

Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>

2019-10-15 11:33:09 -07:00

Oliver Gould

e0ba802f80

proxy-identity: Set a CommonName on CSRs (#2626 )

Some CA's (like AWS) require a CN be set on the CSR.

This change modifies proxy-identity to set the identity name as the
CSR's CommonName.

Fixes #2622

2019-04-03 13:54:50 -07:00

Oliver Gould

790c13b3b2

Introduce the Identity controller implementation (#2521 )

This change introduces a new Identity service implementation for the
`io.linkerd.proxy.identity.Identity` gRPC service.

The `pkg/identity` contains a core, abstract implementation of the service
(generic over both the CA and (Kubernetes) Validator interfaces).

`controller/identity` includes a concrete implementation that uses the
Kubernetes TokenReview API to validate serviceaccount tokens when
issuing certificates.

This change does **NOT** alter installation or runtime to include the
identity service. This will be included in a follow-up.

2019-03-19 13:58:45 -07:00

3 Commits