linkerd2

History

Alejandro Pedraza 2a4c71760d Enable cert rotation test to work with dynamic namespaces, take two (#3795 ) * Enable cert rotation test to work with dynamic namespaces This PR adds support for dynamic cert generation when running the cert rotation intergration tests. This allows to avoid baking in the namespace in the certificate CN, thereby allowing us to run these tests on the clouds. The tests in #3775 were failing because the second secret holding the issuer cert replacement was a leaf cert and not a root/intermediary cert capable of signing the CSRs. This is how the replacement cert looked like: ```bash $ k -n l5d-integration-external-issuer get secrets linkerd-identity-issuer-new -ojson \| jq '.data\|.["tls.crt"]' \| tr -d '"' \| base64 -d \| step certificate inspect - Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: ECDSA-SHA256 Issuer: CN=identity.l5d-integration-external-issuer.cluster.local Validity Not Before: Dec 6 19:16:08 2019 UTC Not After : Dec 5 19:16:28 2020 UTC Subject: CN=identity.l5d-integration-external-issuer.cluster.local Subject Public Key Info: Public Key Algorithm: ECDSA Public-Key: (256 bit) X: 93:d5:fa:f8:d1:44:4f:9a:8c:aa:0c:9e:4f:98:a3: 8d:28:d9:cc:f2:74:4c:5f:76:14:52:47:b9:fb:c9: a3:33 Y: d2:04:74:95:2e:b4:78:28:94:8a:90:b2:fb:66:1b: e7:60:e5:02:48:d2:02:0e:4d:9e:4f:6f:e9:0a:d9: 22:78 Curve: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:identity.l5d-integration-external-issuer.cluster.local Signature Algorithm: ECDSA-SHA256 30:46:02:21:00:f6:93:2f:10:ba:eb:be:bf:77:1a:2d:68:e6: 04:17:a4:b4:2a:05:80:f7:c5:f7:37:82:7b:b7:9c:a1:66:6a: e1:02:21:00:b3:65:06:37:49:06:1e:13:98:7c:cf:f9:71:ce: 5a:55:de:f6:1b:83:85:b0:a8:88:b7:cf:21:d1:16:f2:10:f9 ``` For it to be a root/intermediate cert it should have had `CA:TRUE` under the `X509v3 extensions` section. Why did the test pass sometimes? When it did pass for me, I could see in the linkerd-identity proxy logs something like: ``` ERR! [ 320.964592s] linkerd2_proxy_identity::certify Received invalid ceritficate: invalid certificate: UnknownIssuer ``` so the cert retrieved from identity still was invalid but for some reason the proxy, sometimes, keeps on going despite that. And when one would delete the linkerd-identity pod, its proxy wouldn't come up at all, also showing that error. With the changes from this branch, we no longer see that error in the logs and after deleting the linkerd-identity pod it comes back gracefully.	2019-12-11 15:50:06 -05:00
..
external_issuer_application.yaml	Add integration test for external issuer and cert rotation flows (#3709 )	2019-11-14 06:58:32 +02:00

Alejandro Pedraza 2a4c71760d

Enable cert rotation test to work with dynamic namespaces, take two (#3795 )

* Enable cert rotation test to work with dynamic namespaces

This PR adds support for dynamic cert generation when running the cert rotation intergration tests. This allows to avoid baking in the namespace in the certificate CN, thereby allowing us to run these tests on the clouds.

The tests in #3775 were failing because the second secret holding the issuer cert replacement was a leaf cert and not a root/intermediary cert capable of signing the CSRs. This is how the replacement cert looked like:

```bash
$ k -n l5d-integration-external-issuer get secrets linkerd-identity-issuer-new -ojson | jq '.data|.["tls.crt"]' | tr -d '"' | base64 -d | step certificate inspect -
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: ECDSA-SHA256
        Issuer: CN=identity.l5d-integration-external-issuer.cluster.local
        Validity
            Not Before: Dec 6 19:16:08 2019 UTC
            Not After : Dec 5 19:16:28 2020 UTC
        Subject: CN=identity.l5d-integration-external-issuer.cluster.local
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    93:d5:fa:f8:d1:44:4f:9a:8c:aa:0c:9e:4f:98:a3:
                    8d:28:d9:cc:f2:74:4c:5f:76:14:52:47:b9:fb:c9:
                    a3:33
                Y:
                    d2:04:74:95:2e:b4:78:28:94:8a:90:b2:fb:66:1b:
                    e7:60:e5:02:48:d2:02:0e:4d:9e:4f:6f:e9:0a:d9:
                    22:78
                Curve: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:identity.l5d-integration-external-issuer.cluster.local

    Signature Algorithm: ECDSA-SHA256
         30:46:02:21:00:f6:93:2f:10:ba:eb:be:bf:77:1a:2d:68:e6:
         04:17:a4:b4:2a:05:80:f7:c5:f7:37:82:7b:b7:9c:a1:66:6a:
         e1:02:21:00:b3:65:06:37:49:06:1e:13:98:7c:cf:f9:71:ce:
         5a:55:de:f6:1b:83:85:b0:a8:88:b7:cf:21:d1:16:f2:10:f9
```
For it to be a root/intermediate cert it should have had `CA:TRUE` under the `X509v3 extensions` section.

Why did the test pass sometimes? When it did pass for me, I could see in the linkerd-identity proxy logs something like:
```
ERR! [   320.964592s] linkerd2_proxy_identity::certify Received invalid ceritficate: invalid certificate: UnknownIssuer
```
so the cert retrieved from identity still was invalid but for some reason the proxy, sometimes, keeps on going despite that. And when one would delete the linkerd-identity pod, its proxy wouldn't come up at all, also showing that error.

With the changes from this branch, we no longer see that error in the logs and after deleting the linkerd-identity pod it comes back gracefully.

2019-12-11 15:50:06 -05:00

external_issuer_application.yaml

Add integration test for external issuer and cert rotation flows (#3709 )

2019-11-14 06:58:32 +02:00