-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support loading identity trust roots from a Secret #7345
Comments
Hey @bdun1013, thanks for raising this! Is there a specific reason why a To integrate with cert-manager, did you follow the steps from our documentation? If you create the cert-manager If you follow the documentation steps, Linkerd will pull in the CA from the secret created by cert-manager and use it to create the |
Hey @mateiidavid, thanks for the reply. I have been following those steps in the documentation, but with one small tweak. I am using
So I would like to use the With helm, my current options are to:
So I would just like to make helm chart changes to pull the I will throw up a draft PR to help visualize my recommended changes |
… of a ConfigMap (linkerd#7345) Currently, the only way to configure an existing CA is to have an existing ConfigMap or pass in the ca data during installation. For those using cert-manager to generate or retrieve the CA, the ca data will be stored in a Secret. Adding a boolean installation value (identity.externalCAFromSecret for helm and --identity-external-ca-from-secret for the CLI) allows using an existing Secret as an alternative to an existing ConfigMap Signed-off-by: Brian Dunnigan <bdun1013dev@gmail.com>
… of a ConfigMap (linkerd#7345) Currently, the only way to configure an existing CA is to have an existing ConfigMap or pass in the ca data during installation. For those using cert-manager to generate or retrieve the CA, the ca data will be stored in a Secret. Adding a boolean installation value (identity.externalCAFromSecret for helm and --identity-external-ca-from-secret for the CLI) allows using an existing Secret as an alternative to an existing ConfigMap Signed-off-by: Brian Dunnigan <bdun1013dev@gmail.com>
… of a ConfigMap (linkerd#7345) Currently, the only way to configure an existing CA is to have an existing ConfigMap or pass in the ca data during installation. For those using cert-manager to generate or retrieve the CA, the ca data will be stored in a Secret. Adding a boolean installation value (identity.externalCAFromSecret for helm and --identity-external-ca-from-secret for the CLI) allows using an existing Secret as an alternative to an existing ConfigMap Signed-off-by: Brian Dunnigan <bdun1013dev@gmail.com>
@bdun1013 thanks for submitting the PR and being so proactive in fixing this :) This particular painpoint has been felt by Linkerd users for some time. For example, #3843 was opened in 2019 to address this issue specifically. We have made changes to the way we manage identity since then (e.g added support to read trust roots from configmaps). We are very simpathetic and understand this makes it harder for people to integrate Linkerd with cert-manager (or other similar solutions). However, the solution is not very feasible for us, mostly because of security implications. The Secret itself holds the entire keypair of the CA; aside from the public key/certificate, it also holds the private key. Pods other than the identity controller in Linkerd (which is responsible for signing key requests and distributing certificates) will have access to the Secret and consequently the private key. This same exact reason was also quoted in #3843. There are also some more implementation details that we'd have to cover if we were to read the trust roots from a Secret. With that being said, we'd ideally people to be able to automate all of this. We were tracking the following issue cert-manager#3949 which addresses the same issue we have: separating the keys from the certificate itself. There hasn't been much progress there, but I have looked at the suggestion from one of the cert-manager maintainers to use trust to distribute trust bundles across namespaces in
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-self-signed-issuer
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-trust-anchor
namespace: cert-manager
spec:
isCA: true
commonName: root.linkerd.cluster.local
secretName: linkerd-identity-trust-roots
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: linkerd-self-signed-issuer
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-trust-anchor
namespace: cert-manager
spec:
ca:
secretName: linkerd-identity-trust-roots
apiVersion: v1
kind: Namespace
metadata:
name: linkerd
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 48h
renewBefore: 25h
issuerRef:
name: linkerd-trust-anchor
kind: ClusterIssuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
usages:
- cert sign
- crl sign
- server auth
- client auth
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: linkerd-identity-trust-roots
spec:
sources:
- secret:
name: "linkerd-identity-trust-roots"
key: "ca.crt"
target:
configMap:
key: "ca-bundle.crt"
Here's how everything looks at the end:
It's probably not the easiest way to do it, but it helps us with our security concerns and allows you to use your self-signed CA without having to manually pull it out of the secret. Hope this makes sense? |
@mateiidavid Thank you so much for playing around with this! It makes perfect sense that we don't want to give Pods access to a Secret containing the private key material. I wasn't aware of cert-manager/trust, but it looks great and worked for me. I will close this issue and the associate PR. |
Feature Request
What problem are you trying to solve?
I am using
cert-manager
to create the CACertificate
and correspondingSecret
for the identity component. The trust bundle is available in theca.crt
field of theSecret
. I would like to pull the bundle from thisSecret
instead of creating aConfigMap
to hold the same data.How should the problem be solved?
I would recommend adding a
.Values.identity.externalCAFromSecret
which defaults tofalse
. When both.Values.identity.externalCA
and.Values.identity.externalCAFromSecret
is set to true, theca-bundle.crt
will be pulled from theca.crt
field on thelinkerd-identity-trust-roots
Secret
that will be managed bycert-manager
What do you want to happen? Add any considered drawbacks.
This would add more flexibility to the deployment.
Any alternatives you've considered?
Is there another way to solve this problem that isn't as good a solution?
I could create a ConfigMap with the ca bundle, but this makes automation more difficult.
How would users interact with this feature?
If you can, explain how users will be able to use this. Maybe some sample CLI
output?
$ helm repo add linkerd https://helm.linkerd.io/stable
$ helm template linkerd/linkerd2 --set identity.externalCA=true --set identity.externalCAFromSecret=true --set identity.issuer.scheme=kubernetes.io/tls
This should not create the
linkerd-identity-trust-roots
ConfigMapAll references to the CA data should use the
ca.crt
key in the existinglinkerd-identity-trust-roots
SecretThe text was updated successfully, but these errors were encountered: