Linkerd2: Check for extension server certificate
What problem are you trying to solve?
It appears that not all clusters have requestheader-client-ca-file. With tap and soon other APIServices, that is required. Check should notify the user when that is missing as part of check --pre.
grampelberg
All 12 comments
I'd like to take on this one, even though I have very limited time at hand! If that is OK, I think I can find my way around! :)
bmcustodio
on 25 Sep 2019
This'd be great for that! There's a question in my mind around RBAC and access to read that specific secret.
grampelberg
on 25 Sep 2019
Exactly - what should the behaviour be in case the user running linkerd check --pre doesn't have enough perms? Should the test fail (or maybe be skipped)?
bmcustodio
on 25 Sep 2019
As most clusters have escalation protection right now, the user will need that RBAC to even install linkerd. It might be sufficient to just order the check after the RBAC checks (though I suspect they're missing this right now).
If the current user doesn't have enough perms, the check should definitely fail.
grampelberg
on 25 Sep 2019
@grampelberg cool! I think #3488, if not the whole thing, is at least a starting point for this.
bmcustodio
on 27 Sep 2019
Hey @grampelberg if @bmcstdio isn't working on this anymore, I'd like to take this up
christyjacob4
on 12 Feb 2020
@christyjacob4 go for it.
grampelberg
on 12 Feb 2020
@grampelberg I'd like to understand this issue a little better. Do you have any more documentation on it?
Thanks
christyjacob4
on 12 Feb 2020
grampelberg
on 12 Feb 2020
@grampelberg Can you tell me how I can test this?
christyjacob4
on 12 Feb 2020
Configure an API server and leave those flags off?
grampelberg
on 12 Feb 2020
okay I will try that and let you know if i face any difficulties along the way
christyjacob4
on 12 Feb 2020
Related issues
vikas027
路
4Comments
franziskagoltz
路
3Comments
adleong
路
4Comments
steve-fraser
路
4Comments
geekmush
路
4Comments