search

linkerd / linkerd2

Ultralight, security-first service mesh for Kubernetes. Main repo for Linkerd 2.x.
https://linkerd.io
Apache License 2.0
10.62k stars 1.27k forks source link

Update documentation to use trust manager #11660

Closed drewwells closed 6 months ago

drewwells commented 10 months ago

What problem are you trying to solve?

As depicted in the discussion here https://github.com/linkerd/linkerd2/issues/7345, linkerd does not really work with cert-manager today. I'm puzzled why the issue is even locked when it has not been integrated into the documentation.

How should the problem be solved?

Update documentation to use trust bundle approach detailed in the issue.

Any alternatives you've considered?

For multicluster, I can't really use another approach. I need to be able to manage and rotate certificates automatically.

How would users interact with this feature?

Well, they can spend a long time puzzling through linkerd errors until they find this one comment in a locked issue.

Would you like to work on this feature?

maybe

kflynn commented 10 months ago

I think that #7345 is locked because using a Secret won't really work – we need to be able to have a bundle of multiple trust anchor public keys to make rotation work correctly. I'll tweak the docs, though.

drewwells commented 10 months ago

Would be nice if the docs considered multicluster. A selfsigned issuer won't work when you need the same trust anchor on two clusters. I notice some docs provision with step while others skip this with selfSIgned cert-manager issuer

kflynn commented 10 months ago

One big challenge we run into here is that if you want to use cert-manager with multicluster, you must use an external certificate store, but there's no "standard" external certificate store. Nor is there a CNCF store we can use (unless one's cropped up that I haven't seen yet!).

We can obviously document it as "we assume that you have a ClusterIssuer set up for this", but I'm open to suggestions here.

drewwells commented 10 months ago

Yeah I get that trouble. I think it's okay to verify if the CA is in a configmap that is used. It's assumed the user did the hard work of setting up cert manager

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.