Linkerd2 and GitOps

[uhthomas]

I was wondering if anyone has had any success in setting up Linkerd2 (Helm3) using GitOps? I've setup a brand new cluster from scratch, and everything is deployed using Flux. It looks like trust anchors are required, but I can't think of a good solution to do this in Git. See

synchronization of release 'linkerd2' in namespace 'linkerd2' failed: installation failed: execution error at (linkerd2/templates/web.yaml:98:12): Please provide the identity trust anchors

Any suggestions or discussion on this topic would be greatly appreciated 😄

[grampelberg]

I would recommend using cert-manager for the identity cert/key and checking the trust anchor cert into git. It is not secret and therefore doesn't need any kind of protections.

[uhthomas]

Thanks for the suggestion 😄 I'll take a look at this tomorrow. So all that should need to be done (initially) is generating a root cert and supplying that to Linkerd2 via the Helm chart?

[uhthomas]

@grampelberg I've re-added Linkerd2 to my cluster, and provided a root certificate but now get

synchronization of release 'linkerd2' in namespace 'linkerd' failed: installation failed: execution error at (linkerd2/templates/identity.yaml:19:55): Please provide the identity issuer certificate expiry date

Does this mean I also need to provide a crt and key? If so, how should I pass them to the helm chart?

My Linkerd2 config

[uhthomas]

Ahh, I figured it out. I followed the instructions your linked for using cert-manager with Linkerd2 and it all seems to work.

For anyone else reading this, this configuration is running and working.

These are the steps I took to generate the relevant secrets:

$ step certificate create identity.linkerd.cluster.local ca.crt ca.key \
    --profile root-ca \
    --no-password \
    --insecure
$ kubectl create secret tls linkerd-trust-anchor \
    --dry-run=client \
    --cert=ca.crt \
    --key=ca.key \
    --namespace=linkerd -o yaml | kubeseal --controller-name sealed-secrets -o yaml

From there everything can be safely committed to source control 😄

Thanks so much for your help @grampelberg! (and the rest of the guys on the Slack)

[grampelberg]

Awesome! @cpretzer can update this discussion once we've got a blog post published walking folks through everything!