4c634a3816
* Have webhooks refresh their certs automatically Fixes partially #5272 In 2.9 we introduced the ability for providing the certs for `proxy-injector` and `sp-validator` through some external means like cert-manager, through the new helm setting `externalSecret`. We forgot however to have those services watch changes in their secrets, so whenever they were rotated they would fail with a cert error, with the only workaround being to restart those pods to pick the new secrets. This addresses that by first abstracting out `FsCredsWatcher` from the identity controller, which now lives under `pkg/tls`. The webhook's logic in `launcher.go` no longer reads the certs before starting the https server, moving that instead into `server.go` which in a similar way as identity will receive events from `FsCredsWatcher` and update `Server.cert`. We're leveraging `http.Server.TLSConfig.GetCertificate` which allows us to provide a function that will return the current cert for every incoming request. ### How to test ```bash # Create some root cert $ step certificate create linkerd-proxy-injector.linkerd.svc ca.crt ca.key \ --profile root-ca --no-password --insecure --san linkerd-proxy-injector.linkerd.svc # configure injector's caBundle to be that root cert $ cat > linkerd-overrides.yaml << EOF proxyInjector: externalSecret: true caBundle: | < ca.crt contents> EOF # Install linkerd. The injector won't start untill we create the secret below $ bin/linkerd install --controller-log-level debug --config linkerd-overrides.yaml | k apply -f - # Generate an intermediatery cert with short lifespan step certificate create linkerd-proxy-injector.linkerd.svc ca-int.crt ca-int.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 4m --no-password --insecure --san linkerd-proxy-injector.linkerd.svc # Create the secret using that intermediate cert $ kubectl create secret tls \ linkerd-proxy-injector-k8s-tls \ --cert=ca-int.crt \ --key=ca-int.key \ --namespace=linkerd # start following the injector log $ k -n linkerd logs -f -l linkerd.io/control-plane-component=proxy-injector -c proxy-injector # Inject emojivoto. The pods should be injected normally $ bin/linkerd inject https://run.linkerd.io/emojivoto.yml | kubectl apply -f - # Wait about 5 minutes and delete a pod $ k -n emojivoto delete po -l app=emoji-svc # You'll see it won't be injected, and something like "remote error: tls: bad certificate" will appear in the injector logs. # Regenerate the intermediate cert $ step certificate create linkerd-proxy-injector.linkerd.svc ca-int.crt ca-int.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 4m --no-password --insecure --san linkerd-proxy-injector.linkerd.svc # Delete the secret and recreate it $ k -n linkerd delete secret linkerd-proxy-injector-k8s-tls $ kubectl create secret tls \ linkerd-proxy-injector-k8s-tls \ --cert=ca-int.crt \ --key=ca-int.key \ --namespace=linkerd # Wait a couple of minutes and you'll see some filesystem events in the injector log along with a "Certificate has been updated" entry # Then delete the pod again and you'll see it gets injected this time $ k -n emojivoto delete po -l app=emoji-svc ``` |
||
|---|---|---|
| .github | ||
| bin | ||
| charts | ||
| cli | ||
| cni-plugin | ||
| controller | ||
| grafana | ||
| jaeger | ||
| pkg | ||
| proto | ||
| proxy-identity | ||
| test | ||
| testutil | ||
| web | ||
| .dockerignore | ||
| .editorconfig | ||
| .gcp.json.enc | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| .helmdocsignore | ||
| .markdownlint.yaml | ||
| .proxy-version | ||
| ADOPTERS.md | ||
| BUILD.md | ||
| CHANGES.md | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| DCO | ||
| Dockerfile-debug | ||
| Dockerfile-proxy | ||
| GOVERNANCE.md | ||
| LICENSE | ||
| MAINTAINERS.md | ||
| README.md | ||
| SECURITY.md | ||
| SECURITY_AUDIT.pdf | ||
| TEST.md | ||
| go.mod | ||
| go.sum | ||
| tools.go | ||
README.md
Linkerd
🎈 Welcome to Linkerd! 👋
Linkerd is an ultralight, security-first service mesh for Kubernetes. Linkerd adds critical security, observability, and reliability features to your Kubernetes stack with no code change required.
Linkerd is a Cloud Native Computing Foundation (CNCF) project.
Repo layout
This is the primary repo for the Linkerd 2.x line of development.
The complete list of Linkerd repos is:
- linkerd2: Main Linkerd 2.x repo, including control plane and CLI
- linkerd2-proxy: Linkerd 2.x data plane proxy
- linkerd2-proxy-api: Linkerd 2.x gRPC API bindings
- linkerd: Linkerd 1.x
- website: linkerd.io website (including docs for 1.x and 2.x)
Quickstart and documentation
You can run Linkerd on any modern Kubernetes cluster in a matter of seconds. See the Linkerd Getting Started Guide for how.
For more comprehensive documentation, start with the Linkerd docs. (The doc source code is available in the website repo.)
Working in this repo
BUILD.md includes general information on how to work in this repo.
We ❤️ pull requests! See CONTRIBUTING.md for info on
contributing changes.
Get involved
- Join Linkerd's user mailing list, developer mailing list, and announcements mailing list.
- Follow @Linkerd on Twitter.
- Join the Linkerd Slack.
- Join us in the regular online community meetings!
Community meetings
We host regular online meetings for contributors, adopters, maintainers, and anyone else interested to connect in a synchronous fashion. These meetings usually take place the last Wednesday of the month at 9am Pacific / 4pm UTC.
We're a friendly group, so please feel free to join us!
Code of Conduct
This project is for everyone. We ask that our users and contributors take a few minutes to review our Code of Conduct.
Security
Security Audit
A third party security audit was performed by Cure53. You can see the full report here.
License
Copyright 2020 the Linkerd Authors. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.