Hi, we’re currently using Helm to install Linkerd, linkerd-viz and cert-manager to manage the certificates. I configured linkerd-viz for automatic certificate renewal. The steps were followed as in this task page, but the only difference is that the ‘root-CA’ is stored in Vault-PKI. There are no error messages for the certificate and issuer, but the tap-pod logs are as follows;
http: TLS handshake error from 192.168.67.209:53868: remote error: tls: bad certificate http: TLS handshake error from 192.168.67.209:63778: remote error: tls: bad certificate
and when performing ‘linkerd check --proxy’, I get the following output:
linkerd-viz
-----------
√ linkerd-viz Namespace exists
√ can initialize the client
√ linkerd-viz ClusterRoles exist
√ linkerd-viz ClusterRoleBindings exist
× tap API server has valid cert
cert is not issued by the trust anchor: x509: certificate signed by unknown authority
see https://linkerd.io/2.14/checks/#l5d-tap-cert-valid for hints
Issuer config:
│ Name: viz-webhook-issuer │
│ Namespace: linkerd-viz │
│ Labels: <none> │
│ Annotations: <none> │
│ API Version: cert-manager.io/v1 │
│ Kind: Issuer │
│ Metadata:
│
│ Spec: │
│ Vault: │
│ Auth: │
│ Kubernetes: │
│ Mount Path: /v1/auth/kubernetes │
│ Role: linkerd-viz-issuer │
│ Secret Ref: │
│ Key: token │
│ Name: viz-issuer-token │
│ Path: <pki-path>/sign/linkerd-viz-webhooks │
│ Server: http://<vault_adress>:8200 │
│ Status: │
│ Conditions: │ │
│ Message: Vault verified │
│ Reason: VaultVerified │
│ Status: True │
│ Type: Ready │
│ Events: <none>
Linkerd version: 2.14.10
command to create root-CA in Vault for linkerd-viz webhook certs:
vault write -field=certificate <pki-path>/root/generate/internal \
common_name=webhook.linkerd.cluster.local \
ttl=876000h key_type=ec