What is the issue?
I want to run a mesh with no mTLS. I've followed the documentation and trying to disable identity as outlined below. I use helm based deployment...and my linkerd version is stable-2.11.1
-
Install with a cert having 10 mins expiry
-
Let it expire
-
ssh into one of the POD having linkerd proxy and try to hit another POD
-
As expected, the communication fails due to expired cert
-
Uninstall linkerd and reinstall with following override in the values.yaml
proxy configuration
proxy:
disableIdentity: true
helm upgrade --install linkerd2 --set-file identityTrustAnchorsPEM=ca.crt \ --set-file identity.issuer.tls.crtPEM=issuer.crt \ --set-file identity.issuer.tls.keyPEM=issuer.key \ linkerd2 -f linkerd2/values.yaml
I get the below error
Error: UPGRADE FAILED: template: linkerd2/templates/proxy-injector.yaml:8:3: executing "linkerd2/templates/proxy-injector.yaml" at <include "linkerd.proxy.validation" .Values.proxy>: error calling include: template: linkerd2/charts/partials/templates/_validate.tpl:3:4: executing "linkerd.proxy.validation" at <fail (printf "Can't disable identity mTLS for %s. Set '.Values.proxy.disableIdentity' to 'false'" .component)>: error calling fail: Can't disable identity mTLS for %!s(). Set '.Values.proxy.disableIdentity' to 'false'
My deployment is within a secure corporate network and instead of having to rotate certs, i would like to disable and have mesh with no TLS. Is it not possible to disable mTLS ?
How can it be reproduced?
Please see above in the What's the issue section
Logs, error output, etc
Error: UPGRADE FAILED: template: linkerd2/templates/proxy-injector.yaml:8:3: executing "linkerd2/templates/proxy-injector.yaml" at <include "linkerd.proxy.validation" .Values.proxy>: error calling include: template: linkerd2/charts/partials/templates/_validate.tpl:3:4: executing "linkerd.proxy.validation" at <fail (printf "Can't disable identity mTLS for %s. Set '.Values.proxy.disableIdentity' to 'false'" .component)>: error calling fail: Can't disable identity mTLS for %!s(). Set '.Values.proxy.disableIdentity' to 'false'
output of linkerd check -o short
linkerd check -o short
Linkerd core checks
linkerd-identity
× issuer cert is within its validity period
issuer certificate is not valid anymore. Expired on 2022-02-26T04:18:18Z
see https://linkerd.io/2.11/checks/#l5d-identity-issuer-cert-is-time-valid for hints
Status check results are ×
Environment
k8s version: 1.19.15
Env: AWS EKS
Possible solution
No response
Additional context
No response
Would you like to work on fixing this bug?
No response
What is the issue?
I want to run a mesh with no mTLS. I've followed the documentation and trying to disable identity as outlined below. I use helm based deployment...and my linkerd version is stable-2.11.1
Install with a cert having 10 mins expiry
Let it expire
ssh into one of the POD having linkerd proxy and try to hit another POD
As expected, the communication fails due to expired cert
Uninstall linkerd and reinstall with following override in the values.yaml
proxy configuration
proxy:
disableIdentity: true
helm upgrade --install linkerd2 --set-file identityTrustAnchorsPEM=ca.crt \ --set-file identity.issuer.tls.crtPEM=issuer.crt \ --set-file identity.issuer.tls.keyPEM=issuer.key \ linkerd2 -f linkerd2/values.yamlI get the below error
Error: UPGRADE FAILED: template: linkerd2/templates/proxy-injector.yaml:8:3: executing "linkerd2/templates/proxy-injector.yaml" at <include "linkerd.proxy.validation" .Values.proxy>: error calling include: template: linkerd2/charts/partials/templates/_validate.tpl:3:4: executing "linkerd.proxy.validation" at <fail (printf "Can't disable identity mTLS for %s. Set '.Values.proxy.disableIdentity' to 'false'" .component)>: error calling fail: Can't disable identity mTLS for %!s(). Set '.Values.proxy.disableIdentity' to 'false'
My deployment is within a secure corporate network and instead of having to rotate certs, i would like to disable and have mesh with no TLS. Is it not possible to disable mTLS ?
How can it be reproduced?
Please see above in the What's the issue section
Logs, error output, etc
Error: UPGRADE FAILED: template: linkerd2/templates/proxy-injector.yaml:8:3: executing "linkerd2/templates/proxy-injector.yaml" at <include "linkerd.proxy.validation" .Values.proxy>: error calling include: template: linkerd2/charts/partials/templates/_validate.tpl:3:4: executing "linkerd.proxy.validation" at <fail (printf "Can't disable identity mTLS for %s. Set '.Values.proxy.disableIdentity' to 'false'" .component)>: error calling fail: Can't disable identity mTLS for %!s(). Set '.Values.proxy.disableIdentity' to 'false'
output of
linkerd check -o shortlinkerd check -o short
Linkerd core checks
linkerd-identity
× issuer cert is within its validity period
issuer certificate is not valid anymore. Expired on 2022-02-26T04:18:18Z
see https://linkerd.io/2.11/checks/#l5d-identity-issuer-cert-is-time-valid for hints
Status check results are ×
Environment
k8s version: 1.19.15
Env: AWS EKS
Possible solution
No response
Additional context
No response
Would you like to work on fixing this bug?
No response