Linkerd-Vis helm chart

[danieloateslee]

Bug Report

Linkerd-Vis helm deployment guide is not correct.

What is the issue?

The helm command is missing the CA cert requirement

How can it be reproduced?

Yes ... if you deploy linkerd-vis using the helm chart, the TAP, WEB, Metric pods fail to start. If you then add the CA used to install linkerd, the pods start up correctly.

We identified the issue with the missing CA after deploying linkerd-viz with helm, then running a linkerd viz install > output.yml. Then running a kubectl diff between the running config and the output.yml.

We identified that it was replacing the CA cert .

Logs, error output, etc

None the pods fail to start.

Environment

• Kubernetes Version: 1.19.11
• Cluster Environment: (GKE, AKS, kops, ...) non-cloud - kuberenets with calico
• Host OS: RHEL8.3
• Linkerd version: stable-2.10.2

Possible solution

Add the CA crt when deploying using helm.,

Additional context

[olix0r]

Thanks for the PR, @danieloateslee.

I don't fully understand the problem you're seeing, though. Specifically linkerd-viz doesn't actually use the identityTrustAnchorsPEM variable anywhere in its template:

:; grep -Rc identityTrustAnchorsPEM viz/charts
viz/charts/linkerd-viz/values-ha.yaml:0
viz/charts/linkerd-viz/.helmignore:0
viz/charts/linkerd-viz/templates/service-profiles.yaml:0
viz/charts/linkerd-viz/templates/tap-injector.yaml:0
viz/charts/linkerd-viz/templates/web-rbac.yaml:0
viz/charts/linkerd-viz/templates/psp.yaml:0
viz/charts/linkerd-viz/templates/namespace.yaml:0
viz/charts/linkerd-viz/templates/grafana.yaml:0
viz/charts/linkerd-viz/templates/prometheus-rbac.yaml:0
viz/charts/linkerd-viz/templates/grafana-rbac.yaml:0
viz/charts/linkerd-viz/templates/tap-injector-rbac.yaml:0
viz/charts/linkerd-viz/templates/NOTES.txt:0
viz/charts/linkerd-viz/templates/tap-rbac.yaml:0
viz/charts/linkerd-viz/templates/metrics-api-rbac.yaml:0
viz/charts/linkerd-viz/templates/web.yaml:0
viz/charts/linkerd-viz/templates/prometheus.yaml:0
viz/charts/linkerd-viz/templates/metrics-api.yaml:0
viz/charts/linkerd-viz/templates/tap.yaml:0
viz/charts/linkerd-viz/README.md:0
viz/charts/linkerd-viz/requirements.yaml:0
viz/charts/linkerd-viz/requirements.lock:0
viz/charts/linkerd-viz/README.md.gotmpl:0
viz/charts/linkerd-viz/values.yaml:0
viz/charts/linkerd-viz/Chart.yaml:0
viz/charts/linkerd-viz/charts/partials-0.1.0.tgz:0

The trust anchors are provided to the viz components via the proxy-injector webhook.

Can you share more details about the problem you saw?

We identified the issue with the missing CA after deploying linkerd-viz with helm, then running a linkerd viz install > output.yml. Then running a kubectl diff between the running config and the output.yml.

We identified that it was replacing the CA cert .

The viz install does include some TLS credentials and ca bundles, but these are for web hooks and unrelated to the identity trust anchors.