...

Package trustanchor

import "edge-infra.dev/pkg/edge/linkerd/certs/trustanchor"
Overview
Index

Overview ▾

Package trustanchor abstracts the linkerd trustanchor certificate manager objects and implements the logic to create/read the linkerd trustanchor certificate K8s secret

Constants

const (
    CaBundleKey               = "ca-bundle.crt"
    ManualTrustAnchorRotation = "linkerd.io/manual-anchor-rotation"
)

func CheckCaBundle 

func CheckCaBundle(ctx context.Context, c client.Client) (bool, error)

CheckCaBundle checks that the ca bundle in the identity configmap contains the currently deployed trust anchor secret.

func Create 

func Create(ctx context.Context, c client.Client, l5d *l5dv1alpha1.Linkerd) (string, error)

Create is responsible for creating a new trust anchor secret

func CreateIfNotExists 

func CreateIfNotExists(ctx context.Context, c client.Client, l5d *l5dv1alpha1.Linkerd) (string, error)

CreateIfNotExists checks if the trust anchor secret has already been created and will create it if it isn't present.

The content of the trust anchor secret that is required by the linkerd installation manifest rendering process is returned regardless so that manifests can be rendered correctly after controller restarts without re-generating the secret each time.

func GenerateTrustAnchor 

func GenerateTrustAnchor(ctx context.Context) ([]byte, []byte, error)

GenerateTrustAnchor creates the trust anchor cert and key https://linkerd.io/2.11/tasks/automatically-rotating-control-plane-tls-credentials/#save-the-signing-key-pair-as-a-secret

func GetCaBundle 

func GetCaBundle(ctx context.Context, c client.Client) (string, error)

GetCaBundle retrieves the ca bundle from the linkerd-identity-trust-roots configmap or the trust anchor secret if the configmap does not exist

func HasManualRotationAnnotation 

func HasManualRotationAnnotation(l5d *l5dv1alpha1.Linkerd) bool

func IsRotated 

func IsRotated(ctx context.Context, c client.Client) bool

IsRotated checks for the trust anchor rotated annotation on the trust anchor secret and returns true if it is.

func RemoveRotationAnnotations 

func RemoveRotationAnnotations(ctx context.Context, c client.Client, l5d *l5dv1alpha1.Linkerd) error

func Rotate 

func Rotate(ctx context.Context, c client.Client, l5d *l5dv1alpha1.Linkerd) error

Rotate generates a new trust anchor secret, annotates it, updates the ca bundle and patches the existing secret

func SecretExists 

func SecretExists(ctx context.Context, c client.Client) (string, error)

SecretExists attempts to get the trust anchor secret and return the cert string if it exists. Returning an empty string and nil error indicates the secret does not exist.

func UpdateCaBundle 

func UpdateCaBundle(ctx context.Context, c client.Client) (string, error)

UpdateCaBundle checks if the ca bundle has the current trust anchor certificate and updates the bundle if not.