You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
i have ran linkerd check to see the cert has been expired or not but it shows as Valid. below is the output
Linkerd core checks
kubernetes-api
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version
linkerd-existence
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ control plane pods are ready
√ cluster networks contains all pods
√ cluster networks contains all services
linkerd-config
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ proxy-init container runs as root user if docker container runtime is used
linkerd-identity
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor
linkerd-webhooks-and-apisvc-tls
√ proxy-injector webhook has valid cert
√ proxy-injector cert is valid for at least 60 days
√ sp-validator webhook has valid cert
√ sp-validator cert is valid for at least 60 days
√ policy-validator webhook has valid cert
√ policy-validator cert is valid for at least 60 days
√ control plane proxies are healthy
‼ control plane proxies are up-to-date
some proxies are not running the current version:
* linkerd-destination-845d597658-9vd5c (stable-2.12.2)
* linkerd-destination-845d597658-qrrzg (stable-2.12.2)
* linkerd-destination-845d597658-rbzhf (stable-2.12.2)
* linkerd-identity-7684bf469c-mdb7m (stable-2.12.2)
* linkerd-identity-7684bf469c-vxcdf (stable-2.12.2)
* linkerd-identity-7684bf469c-zwhqk (stable-2.12.2)
* linkerd-proxy-injector-6d9c89f75b-ls78z (stable-2.12.2)
* linkerd-proxy-injector-6d9c89f75b-q2b6r (stable-2.12.2)
* linkerd-proxy-injector-6d9c89f75b-vwkhj (stable-2.12.2)
see https://linkerd.io/2.12/checks/#l5d-cp-proxy-version for hints
‼ control plane proxies and cli versions match
linkerd-destination-845d597658-9vd5c running stable-2.12.2 but cli running stable-2.12.3
see https://linkerd.io/2.12/checks/#l5d-cp-proxy-cli-version for hints
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello Team i have installed linkerd using Helm chart and integrated cert manager as well.
after installation i was getting Badcertificate error.
[ 1280.943318s] ERROR ThreadId(01) inbound:server{port=8080}: rustls::conn: TLS alert received: AlertMessagePayload {
level: Fatal,
description: BadCertificate,
}
Below is terraform i used to create linkerd.
#self signed cert
resource "tls_private_key" "ca" {
algorithm = "ECDSA"
ecdsa_curve = "P256"
}
resource "tls_self_signed_cert" "trustanchor_cert" {
key_algorithm = tls_private_key.ca.algorithm
private_key_pem = tls_private_key.ca.private_key_pem
validity_period_hours = 876000
is_ca_certificate = true
subject {
common_name = "identity.linkerd.cluster.local"
}
allowed_uses = [
"crl_signing",
"cert_signing",
"server_auth",
"client_auth"
]
}
resource "tls_private_key" "issuer_key" {
algorithm = "ECDSA"
ecdsa_curve = "P256"
}
resource "tls_cert_request" "issuer_req" {
key_algorithm = tls_private_key.issuer_key.algorithm
private_key_pem = tls_private_key.issuer_key.private_key_pem
subject {
common_name = "identity.linkerd.cluster.local"
}
}
resource "tls_locally_signed_cert" "issuer_cert" {
cert_request_pem = tls_cert_request.issuer_req.cert_request_pem
ca_key_algorithm = tls_private_key.ca.algorithm
ca_private_key_pem = tls_private_key.ca.private_key_pem
ca_cert_pem = tls_self_signed_cert.trustanchor_cert.cert_pem
validity_period_hours = 8760
is_ca_certificate = true
allowed_uses = [
"crl_signing",
"cert_signing",
"server_auth",
"client_auth"
]
}
helm linkerd installation
locals {
linkerd_overrides = {
identityTrustAnchorsPEM = tls_self_signed_cert.trustanchor_cert.cert_pem
linkerdVersion = "stable-2.12.2"
identity = {
issuer = {
tls = {
crtPEM = tls_locally_signed_cert.issuer_cert.cert_pem
keyPEM = tls_private_key.issuer_key.private_key_pem
}
}
}
}
}
resource "kubernetes_namespace" "linkerd" {
metadata {
name = "linkerd"
}
}
resource "helm_release" "linkerd-crds" {
name = "linkerd-crds"
repository = "https://helm.linkerd.io/stable"
chart = "linkerd-crds"
version = "1.4.0"
namespace = var.linkerd_namespace
timeout = 1200
}
resource "helm_release" "linkerd-control-plane" {
name = "linkerd"
repository = "https://helm.linkerd.io/stable"
chart = "linkerd-control-plane"
version = "1.9.5"
namespace = var.linkerd_namespace
timeout = 1200
values = [
yamlencode(local.linkerd_overrides)
]
}
resource "kubernetes_secret" "tls" {
metadata {
name = "linkerd-trust-anchor"
namespace = var.linkerd_namespace
}
data = {
"tls.crt" : "${tls_self_signed_cert.trustanchor_cert.cert_pem}"
"tls.key" : "${tls_private_key.ca.private_key_pem}"
}
type = "kubernetes.io/tls"
}
resource "kubernetes_manifest" "issuer" {
depends_on = [ helm_release.linkerd-control-plane ]
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Issuer"
metadata = {
name = "linkerd-trust-anchor"
namespace = "linkerd"
}
spec = {
ca = {
secretName = "linkerd-trust-anchor"
}
}
}
}
resource "kubernetes_manifest" "certificate_linkerd_linkerd_identity_issuer" {
depends_on = [ helm_release.linkerd-control-plane ]
manifest = {
"apiVersion" = "cert-manager.io/v1"
"kind" = "Certificate"
"metadata" = {
"name" = "linkerd-identity-issuer"
"namespace" = var.linkerd_namespace
}
"spec" = {
"commonName" = "identity.linkerd.cluster.local"
"dnsNames" = [
"identity.linkerd.cluster.local",
]
"duration" = "4380h0m0s"
"isCA" = true
"issuerRef" = {
"kind" = "Issuer"
"name" = "linkerd-trust-anchor"
}
"privateKey" = {
"algorithm" = "ECDSA"
"rotationPolicy" = "Always"
}
"renewBefore" = "48h0m0s"
"secretName" = "linkerd-identity-issuer"
"usages" = [
"cert sign",
"crl sign",
"server auth",
"client auth",
]
}
}
}
i have ran linkerd check to see the cert has been expired or not but it shows as Valid. below is the output
Linkerd core checks
kubernetes-api
√ can initialize the client
√ can query the Kubernetes API
kubernetes-version
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version
linkerd-existence
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ control plane pods are ready
√ cluster networks contains all pods
√ cluster networks contains all services
linkerd-config
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ proxy-init container runs as root user if docker container runtime is used
linkerd-identity
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor
linkerd-webhooks-and-apisvc-tls
√ proxy-injector webhook has valid cert
√ proxy-injector cert is valid for at least 60 days
√ sp-validator webhook has valid cert
√ sp-validator cert is valid for at least 60 days
√ policy-validator webhook has valid cert
√ policy-validator cert is valid for at least 60 days
linkerd-version
√ can determine the latest version
‼ cli is up-to-date
is running version 2.12.3 but the latest stable version is 2.13.4
see https://linkerd.io/2.12/checks/#l5d-version-cli for hints
control-plane-version
√ can retrieve the control plane version
‼ control plane is up-to-date
is running version 2.12.2 but the latest stable version is 2.13.4
see https://linkerd.io/2.12/checks/#l5d-version-control for hints
‼ control plane and cli versions match
control plane running stable-2.12.2 but cli running stable-2.12.3
see https://linkerd.io/2.12/checks/#l5d-version-control for hints
linkerd-control-plane-proxy
√ control plane proxies are healthy
‼ control plane proxies are up-to-date
some proxies are not running the current version:
* linkerd-destination-845d597658-9vd5c (stable-2.12.2)
* linkerd-destination-845d597658-qrrzg (stable-2.12.2)
* linkerd-destination-845d597658-rbzhf (stable-2.12.2)
* linkerd-identity-7684bf469c-mdb7m (stable-2.12.2)
* linkerd-identity-7684bf469c-vxcdf (stable-2.12.2)
* linkerd-identity-7684bf469c-zwhqk (stable-2.12.2)
* linkerd-proxy-injector-6d9c89f75b-ls78z (stable-2.12.2)
* linkerd-proxy-injector-6d9c89f75b-q2b6r (stable-2.12.2)
* linkerd-proxy-injector-6d9c89f75b-vwkhj (stable-2.12.2)
see https://linkerd.io/2.12/checks/#l5d-cp-proxy-version for hints
‼ control plane proxies and cli versions match
linkerd-destination-845d597658-9vd5c running stable-2.12.2 but cli running stable-2.12.3
see https://linkerd.io/2.12/checks/#l5d-cp-proxy-cli-version for hints
Status check results are √
need you support to fix this issue
Beta Was this translation helpful? Give feedback.
All reactions