2

I am installing linkerd helm verison with flux and cert mananger for tls rotation

cert manager holds default config so there isnt much to talk there

flux and linkerd with this config:

release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: linkerd
  namespace: linkerd
  
spec:
  interval: 5m
  values:
    identity.issuer.scheme: kubernetes.io/tls
    installNamespace: false
    
  valuesFrom:
  - kind: Secret
    name: linkerd-trust-anchor
    valuesKey: tls.crt
    targetPath: identityTrustAnchorsPEM
  chart:
    spec:
      chart: linkerd2
      version: "2.11.2"
      sourceRef:
        kind: HelmRepository
        name: linkerd
        namespace: linkerd
      interval: 1m

source.yaml

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: linkerd
  namespace: linkerd
spec:
  interval: 5m0s
  url: https://helm.linkerd.io/stable

linkerd-trust-anchor.yaml

apiVersion: v1
data:
  tls.crt: base64encoded
  tls.key: base64encoded
kind: Secret
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
type: kubernetes.io/tls

which was created with:

step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure

issuer.yaml

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth

now when it comes the time to reconcile i get this error in the helmrelease

Helm install failed: execution error at (linkerd2/templates/identity.yaml:19:21): Please provide the identity issuer certificate

however doing it manually does work perfectly

helm install linkerd2   \
--set-file identityTrustAnchorsPEM=ca.crt   \
--set identity.issuer.scheme=kubernetes.io/tls   \
--set installNamespace=false   linkerd/linkerd2   \
-n linkerd

It Also work if I have the same setup but without cert manager and certificates declared manually (with a different secret name as linkerd will create it on its own)like this:

valuesFrom:
  - kind: Secret
    name: linkerd-trust-anchor
    valuesKey: tls.crt
    targetPath: identityTrustAnchorsPEM
  - kind: Secret
    name: linkerd-identity-issuer-2
    valuesKey: tls.crt
    targetPath: identity.issuer.tls.crtPEM
  - kind: Secret
    name: linkerd-identity-issuer-2
    valuesKey: tls.key
    targetPath: identity.issuer.tls.keyPEM

Am I missing something?

Diego Alejandro Llanos Gareca
  • 33
  • 4
  • `valuesFrom` should basically be in the format of a values file, so it should not be the raw cert, it should contain yaml or json like: `{ "identityTrustAnchorsPEM": }`. `targetPath` is a json/yaml merge point, but your secret does not contain json. – jordanm Jun 27 '22 at 21:07
  • Not really, is not a problem with the valuesFrom nor targetpath, as I said in the end of the post, when declaring a different secret name it works and makes the proper replacement, just creates a new linkerd-identity-issuer secret on its own thats not managed by cert-manager – Diego Alejandro Llanos Gareca Jun 27 '22 at 21:31
  • Sorry, I thought the issue was the error in your question that indicated the proper value was not being set. – jordanm Jun 27 '22 at 21:48
  • Got to admit that your comment helped me to find the solution, the problem relies in identity.issuer.scheme: kubernetes.io/tls which should be with the proper yaml identations – Diego Alejandro Llanos Gareca Jun 27 '22 at 22:04

1 Answers1

1

The problem lies here:

values:
    identity.issuer.scheme: kubernetes.io/tls

It should be:

values:
    identity:
      issuer:
        scheme: kubernetes.io/tls

Otherwise, helm wont recognize it and linkerd will think the schema is linkerd.io/tls, which doesn't match the schema structure of kubernetes secret tls.

Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
Diego Alejandro Llanos Gareca
  • 33
  • 4