linkerd2

Commit Graph

Author	SHA1	Message	Date
Oliver Gould	790c13b3b2	Introduce the Identity controller implementation (#2521 ) This change introduces a new Identity service implementation for the `io.linkerd.proxy.identity.Identity` gRPC service. The `pkg/identity` contains a core, abstract implementation of the service (generic over both the CA and (Kubernetes) Validator interfaces). `controller/identity` includes a concrete implementation that uses the Kubernetes TokenReview API to validate serviceaccount tokens when issuing certificates. This change does NOT alter installation or runtime to include the identity service. This will be included in a follow-up.	2019-03-19 13:58:45 -07:00
Oliver Gould	2640943c67	pkg/tls: Make it possible to load a CA from disk (#2335 ) In preparation for creating an Identity service that can chain off of an existing CA, it's necessary to both (1) be able to create an intermediate CA that can be used by the identity service and (2) be able to load a CA from existing key material. This changes the public API of the `tls` package to deal in actual key types (rather than opaque blobs) and provides a set of helpers that can be used to convert these credentials between common formats.	2019-02-22 15:13:50 -08:00
Alejandro Pedraza	fe234cade1	Use `ca.NewCA()` for generating certs and keys for the proxy injector (#2163 ) Use `ca.NewCA()` for generating certs and keys for the proxy injector - Remove from CA controller everything that dealt with the webhook/proxy-injector - Remove no longer needed proxy-injector volumes for 'trust-anchors' and 'webhook-secrets' - Remove from the proxy-injector the retrieval of the trust anchor and secrets - tls flag during install is no longer needed for auto-inject to work Fixes #2095 and fixes #2166 Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>	2019-01-30 16:04:33 -05:00

Author

SHA1

Message

Date

Oliver Gould

790c13b3b2

Introduce the Identity controller implementation (#2521 )

This change introduces a new Identity service implementation for the
`io.linkerd.proxy.identity.Identity` gRPC service.

The `pkg/identity` contains a core, abstract implementation of the service
(generic over both the CA and (Kubernetes) Validator interfaces).

`controller/identity` includes a concrete implementation that uses the
Kubernetes TokenReview API to validate serviceaccount tokens when
issuing certificates.

This change does **NOT** alter installation or runtime to include the
identity service. This will be included in a follow-up.

2019-03-19 13:58:45 -07:00

Oliver Gould

2640943c67

pkg/tls: Make it possible to load a CA from disk (#2335 )

In preparation for creating an Identity service that can chain off of an
existing CA, it's necessary to both (1) be able to create an
intermediate CA that can be used by the identity service and (2) be able
to load a CA from existing key material.

This changes the public API of the `tls` package to deal in actual key
types (rather than opaque blobs) and provides a set of helpers that can
be used to convert these credentials between common formats.

2019-02-22 15:13:50 -08:00

Alejandro Pedraza

fe234cade1

Use `ca.NewCA()` for generating certs and keys for the proxy injector (#2163 )

Use `ca.NewCA()` for generating certs and keys for the proxy injector

- Remove from CA controller everything that dealt with the
webhook/proxy-injector
- Remove no longer needed proxy-injector volumes for 'trust-anchors' and
'webhook-secrets'
- Remove from the proxy-injector the retrieval of the trust anchor and
secrets
- tls flag during install is no longer needed for auto-inject to work

Fixes #2095 and fixes #2166

Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>

2019-01-30 16:04:33 -05:00

3 Commits