Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.

cloud-native golang kubernetes linkerd rust service-mesh

Go to file

Alejandro Pedraza 578d4a19e9 Have the tap APIServer refresh its cert automatically (#5388 ) Followup to #5282, fixes #5272 in its totality. This follows the same pattern as the injector/sp-validator webhooks, leveraging `FsCredsWatcher` to watch for changes in the cert files. To reuse code from the webhooks, we moved `updateCert()` to `creds_watcher.go`, and `run()` as well (which now is called `ProcessEvents()`). The `TestNewAPIServer` test in `apiserver_test.go` was removed as it really was just testing two things: (1) that `apiServerAuth` doesn't error which is already covered in the following test, and (2) that the golib call `net.Listen("tcp", addr)` doesn't error, which we're not interested in testing here. ## How to test To test that the injector/sp-validator functionality is still correct, you can refer to #5282 The steps below are similar, but focused towards the tap component: ```bash # Create some root cert $ step certificate create linkerd-tap.linkerd.svc ca.crt ca.key --profile root-ca --no-password --insecure # configure tap's caBundle to be that root cert $ cat > linkerd-overrides.yml << EOF tap: externalSecret: true caBundle: \| < ca.crt contents> EOF # Install linkerd $ bin/linkerd install --config linkerd-overrides.yml \| k apply -f - # Generate an intermediatery cert with short lifespan $ step certificate create linkerd-tap.linkerd.svc ca-int.crt ca-int.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 4m --no-password --insecure --san linkerd-tap.linkerd.svc # Create the secret using that intermediate cert $ kubectl create secret tls \ linkerd-tap-k8s-tls \ --cert=ca-int.crt \ --key=ca-int.key \ --namespace=linkerd # Rollout the tap pod for it to pick the new secret $ k -n linkerd rollout restart deploy/linkerd-tap # Tap should work $ bin/linkerd tap -n linkerd deploy/linkerd-web req id=0:0 proxy=in src=10.42.0.15:33040 dst=10.42.0.11:9994 tls=true :method=GET :authority=10.42.0.11:9994 :path=/metrics rsp id=0:0 proxy=in src=10.42.0.15:33040 dst=10.42.0.11:9994 tls=true :status=200 latency=1779µs end id=0:0 proxy=in src=10.42.0.15:33040 dst=10.42.0.11:9994 tls=true duration=65µs response-length=1709B # Wait 5 minutes and rollout tap again $ k -n linkerd rollout restart deploy/linkerd-tap # You'll see in the logs that the cert expired: $ k -n linkerd logs -f deploy/linkerd-tap tap 2020/12/15 16:03:41 http: TLS handshake error from 127.0.0.1:45866: remote error: tls: bad certificate 2020/12/15 16:03:41 http: TLS handshake error from 127.0.0.1:45870: remote error: tls: bad certificate # Recreate the secret $ step certificate create linkerd-tap.linkerd.svc ca-int.crt ca-int.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 4m --no-password --insecure --san linkerd-tap.linkerd.svc $ k -n linkerd delete secret linkerd-tap-k8s-tls $ kubectl create secret tls \ linkerd-tap-k8s-tls \ --cert=ca-int.crt \ --key=ca-int.key \ --namespace=linkerd # Wait a few moments and you'll see the certs got reloaded and tap is working again time="2020-12-15T16:03:42Z" level=info msg="Updated certificate" addr=":8089" component=apiserver ```		2020-12-16 17:46:14 -05:00
.github	Build jaeger-webhook in release CI (#5381 )	2020-12-14 11:42:51 -05:00
bin	Stop publishing the linkerd2-multicluster-link chart (#5365 )	2020-12-11 08:55:50 -05:00
charts	upgrades: make webhooks restart if TLS creds are updated (#5349 )	2020-12-10 11:56:53 -05:00
cli	jaeger: add check sub command (#5295 )	2020-12-17 00:26:34 +05:30
cni-plugin	Updated debian image tags (#5249 )	2020-11-18 10:51:15 -05:00
controller	Have the tap APIServer refresh its cert automatically (#5388 )	2020-12-16 17:46:14 -05:00
grafana	Fixed multicluster Grafana chart (#5114 )	2020-10-21 10:06:37 -05:00
jaeger	jaeger: add check sub command (#5295 )	2020-12-17 00:26:34 +05:30
multicluster	Don't swallow error when MC gateway hostname can't be resolved (#5362 )	2020-12-11 09:58:44 -05:00
pkg	Have the tap APIServer refresh its cert automatically (#5388 )	2020-12-16 17:46:14 -05:00
proto	Remove dependency of linkerd-config for control plane components (#4915 )	2020-10-06 22:19:18 +05:30
proxy-identity	Print identity in destination client and fix proxy-identity log line (#4873 )	2020-08-13 13:49:55 -07:00
test	Use linkerd-jaeger extension for control plane tracing (#5299 )	2020-12-08 14:34:26 -08:00
testutil	Use linkerd-jaeger extension for control plane tracing (#5299 )	2020-12-08 14:34:26 -08:00
web	build(deps): bump ini from 1.3.5 to 1.3.7 in /web/app (#5370 )	2020-12-14 09:39:30 -05:00
.dockerignore	Migrate CI to docker buildx and other improvements (#4765 )	2020-07-22 14:27:45 -05:00
.editorconfig	Spelling (#4872 )	2020-08-12 21:59:50 -07:00
.gcp.json.enc	Add docker builds and integration tests to CI (#1303 )	2018-07-11 14:01:42 -07:00
.gitattributes	remove the duplicate word (#3385 )	2019-09-04 20:13:55 -07:00
.gitignore	tracing: new jaeger independent helm chart (#5275 )	2020-11-24 09:45:16 -08:00
.golangci.yml	Upgrade golangci-lint to v1.23.8 (#4181 )	2020-03-18 09:13:19 -05:00
.helmdocsignore	Add automatic readme generation for charts (#5316 )	2020-12-02 14:37:45 -05:00
.markdownlint.yaml	Lint all markdown files in CI (#4402 )	2020-05-19 23:03:50 -07:00
.proxy-version	proxy: v2.125.0 (#5392 )	2020-12-15 14:35:52 -08:00
ADOPTERS.md	Added Altinn (#5390 )	2020-12-15 14:50:44 -08:00
BUILD.md	Add automatic readme generation for charts (#5316 )	2020-12-02 14:37:45 -05:00
CHANGES.md	Add changes for edge-20.12.3 (#5383 )	2020-12-14 13:29:40 -05:00
CODE_OF_CONDUCT.md	Lint all markdown files (#4403 )	2020-05-19 09:59:26 -07:00
CONTRIBUTING.md	Update CI and docs to reference `main` branch (#4662 )	2020-06-24 12:39:22 -07:00
DCO	Add contributing doc and DCO file (#88 )	2017-12-22 14:54:27 -08:00
Dockerfile-debug	Updated debian image tags (#5249 )	2020-11-18 10:51:15 -05:00
Dockerfile-proxy	Updated debian image tags (#5249 )	2020-11-18 10:51:15 -05:00
GOVERNANCE.md	Lint all markdown files (#4403 )	2020-05-19 09:59:26 -07:00
LICENSE	Introducing Conduit, the ultralight service mesh	2017-12-05 00:24:55 +00:00
MAINTAINERS.md	Lint all markdown files (#4403 )	2020-05-19 09:59:26 -07:00
README.md	Spelling (#4872 )	2020-08-12 21:59:50 -07:00
SECURITY.md	Spelling (#4872 )	2020-08-12 21:59:50 -07:00
SECURITY_AUDIT.pdf	Add security audit (#3008 )	2019-06-28 16:04:41 -07:00
TEST.md	Consolidate integration tests under k3d (#5245 )	2020-11-18 14:33:16 -05:00
go.mod	Bump proxy-init to v1.3.8 (#5283 )	2020-11-27 09:07:34 -05:00
go.sum	jaeger: Add support for override flags (#5304 )	2020-12-04 16:35:39 -08:00
tools.go	Upgrade to client-go 0.17.4 and smi-sdk-go 0.3.0 (#4221 )	2020-04-01 10:07:23 -07:00

README.md

Linkerd

🎈 Welcome to Linkerd! 👋

Linkerd is an ultralight, security-first service mesh for Kubernetes. Linkerd adds critical security, observability, and reliability features to your Kubernetes stack with no code change required.

Linkerd is a Cloud Native Computing Foundation (CNCF) project.

Repo layout

This is the primary repo for the Linkerd 2.x line of development.

The complete list of Linkerd repos is:

linkerd2: Main Linkerd 2.x repo, including control plane and CLI
linkerd2-proxy: Linkerd 2.x data plane proxy
linkerd2-proxy-api: Linkerd 2.x gRPC API bindings
linkerd: Linkerd 1.x
website: linkerd.io website (including docs for 1.x and 2.x)

Quickstart and documentation

You can run Linkerd on any modern Kubernetes cluster in a matter of seconds. See the Linkerd Getting Started Guide for how.

For more comprehensive documentation, start with the Linkerd docs. (The doc source code is available in the website repo.)

Working in this repo

BUILD.md includes general information on how to work in this repo.

We ❤️ pull requests! See CONTRIBUTING.md for info on contributing changes.

Get involved

Join Linkerd's user mailing list, developer mailing list, and announcements mailing list.
Follow @Linkerd on Twitter.
Join the Linkerd Slack.
Join us in the regular online community meetings!

Community meetings

We host regular online meetings for contributors, adopters, maintainers, and anyone else interested to connect in a synchronous fashion. These meetings usually take place the last Wednesday of the month at 9am Pacific / 4pm UTC.

We're a friendly group, so please feel free to join us!

Code of Conduct

This project is for everyone. We ask that our users and contributors take a few minutes to review our Code of Conduct.

Security

Security Audit

A third party security audit was performed by Cure53. You can see the full report here.

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.