Pass certificates to Linkerd during deployment

Hello,

I’m looking into using client-server TLS connection in Linkerd.
Using these docs - https://linkerd.io/features/tls/ & https://linkerd.io/config/1.3.2/linkerd/index.html#client-tls

I see that the Linkerd needs to access the certificate files which are located under ‘/certificates/’,
but how to I pass them to the service when I deploy the service via DC/OS?

To deploy I use:
" /io.buoyant/linkerd/1.3.0/bundle-exec ./config.yaml "

Thanks.

There are a couple different ways to make files available to linkerd in DC/OS:

  1. If you are on DC/OS Enterprise, you can create file-based secrets:
    https://docs.mesosphere.com/1.10/security/secrets/use-secrets/#file-based-secrets

Here is a similar example of using secrets to provide certs to linkerd for authenticated marathon access:


  1. If you are deploying with Marathon, you can add the files via the uris field:
    https://mesosphere.github.io/marathon/docs/application-basics.html#using-resources-in-applications
    … those files will end up in /mnt/mesos/sandbox, which you can reference in your linkerd config file.

Note that uris can be either URLs or files on the nodes themselves. So you can either make your certs available via a secure URL, or just copy them onto each node at something like /etc/linkerd/certs, and then Marathon will copy them into the container’s /mnt/mesos/sandbox at deploy time.

Thank you for the quick response. About the URIs, can I pass for instance an entire folder?

Like so:

uris: [
     "https://example.com/certificates"
    ]

And then extract the certificates from the folder via mesos/sandbox?
Like so:

   commonName: master.mesos
trustCerts:
  - /mnt/mesos/sandbox/certificates/ca.crt

I don’t think a folder will work that way, but you could pass an archive file:

    "uris": [
        "https://example.com/certificates.zip"
    ]

…and then…

trustCerts:
  - /mnt/mesos/sandbox/certificates/ca.crt

Can I implement SSL only on the incoming server side? (using a self-signed certificate)
Without configuring any ‘tls’ on Client?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.