linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,684 Commits 203 Branches 415 Tags 122 MiB
Commit Graph

5 Commits

Author SHA1 Message Date
Rafael Fernández López ba14dc3fc7 Health check: check if proxies trust anchors match configuration (#3524) 
* Health check: check if proxies trust anchors match configuration

If Linkerd is reinstalled or if the trust anchors are modified while
proxies are running on the cluster, they will contain an outdated
`LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS` certificate.

This changeset adds support for `linkerd check`, so it checks if there
is any proxy running on the cluster, and performing the check against
the configuration trust anchor. If there's a failure (considered a
warning), `linkerd check` will notify the user about what pods are the
offenders (and in what namespace each one is), and also a hint to
remediate the issue (restarting the pods).

* Add integration tests for proxy certificate check

Fixes #3344

Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>
 2019-10-15 11:33:09 -07:00
Andrew Seigner d773a47dd3
Shrink controller Docker image from 315MB to 38MB (#3378) 
The controller Docker image included 7 Go binaries (destination,
heartbeat, identity, proxy-injector, public-api, sp-validator, tap),
each roughly 35MB, with similar dependencies.

Change each controller binary into subcommands of a single `controller`
binary, decreasing the controller Docker image size from 315MB to 38MB.

Signed-off-by: Andrew Seigner <siggy@buoyant.io>
 2019-09-05 11:44:03 -07:00
Oliver Gould e0ba802f80
proxy-identity: Set a CommonName on CSRs (#2626) 
Some CA's (like AWS) require a CN be set on the CSR.

This change modifies proxy-identity to set the identity name as the
CSR's CommonName.

Fixes #2622
 2019-04-03 13:54:50 -07:00
Oliver Gould da0330743f
Provide peer Identities via the Destination API (#2537) 
This change reintroduces identity hinting to the destination service.
The Get endpoint includes identities for pods that are injected with an
identity-mode of "default" and have the same linkerd control plane.

A `serviceaccount` label is now also added to destination response
metadata so that it's accessible in prometheus and tap.
 2019-03-22 09:19:14 -07:00
Oliver Gould 34ea302a32
inject: Configure proxies to enable Identity (#2536) 
This change adds a new `linkerd2-proxy-identity` binary to the `proxy`
container image as well as a `linkerd2-proxy-run` entrypoint script.

The inject process now sets environment variables on pods to support
identity, including identity names for the destination and identity
services.

As the proxy starts, the identity helper creates a key and CSR in a
tmpfs. As the proxy starts, it reads these files, as well as a
serviceaccount token, and provisions a certificate from controller.
The proxy's /ready endpoint will not succeed until a certificate has
been provisioned.

The proxy will not participate in identity with services other than the
controllers until the Destination controller is modified to provide
identities via discovery.
 2019-03-21 18:39:05 -07:00