Production Linkerd with AWS Private CA issuer

Install cert-manager

helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
helm upgrade --install  cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set crds.enabled=true --waiy

Install AWS PrivateCA Issuer

Create IAM Policy

pca-iam-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "awspcaissuer",
      "Action": [
        "acm-pca:DescribeCertificateAuthority",
        "acm-pca:GetCertificate",
        "acm-pca:IssueCertificate"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:acm-pca:*:*:certificate-authority/*"
    }
  ]
}

aws iam create-policy --policy-name AWSPCAIssuerIAMPolicy --policy-document file://pca-iam-policy.json

Create service account and IAM Role

eksctl create iamserviceaccount \
--cluster=immuta-lts \
--namespace=aws-pca-issuer \
--name=aws-pca-issuer \
--attach-policy-arn=arn:aws:iam::231431240278:policy/AWSPCAIssuerIAMPolicy \
--override-existing-serviceaccounts \
--approve

Install via helm

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
helm install aws-pca-issuer awspca/aws-privateca-issuer -n aws-pca-issuer --set serviceAccount.create=false --set serviceAccount.name=aws-pca-issuer

Create a Private Root CA for Linkerd

Follow your preferred method for creating a private root CA via AWS documentation and note the certificate ARN for use when creating the Issuer

Create a private CA in AWS Private CA - AWS Private Certificate AuthorityAWS Private Certificate Authority

Create an AWSPCAIssuer

kubectl create namespace linkerd

linkerd-issuer.yaml

apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAIssuer
metadata:
  namespace: linkerd
  name: linkerd-trust-anchor
spec:
  arn: arn:aws:acm-pca:us-east-1:231431240278:certificate-authority/7902430d-23dd-4d5c-a27c-0e4777eb9de5
  region: us-east-1

Create Linkerd Identity Issuer Certificate

linkerd-identity-issuer.yaml

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth

kubectl apply -f linkerd-idenity-issuer.yaml

Validate that the linkerd-identity-issuer certificate is ready

kubectl -n linkerd get certificate linkerd-identity-issuer
NAME                      READY   SECRET                    AGE
linkerd-identity-issuer   True    linkerd-identity-issuer   104s

Install Linkerd

Download the private CA from AWS Private Certificate Authority and store it in a file named ca.crt

Install linkerd CRDs and Control Plan via helm (using ha-values)

helm repo add linkerd-edge https://helm.linkerd.io/edge
helm install linkerd-crds linkerd-edge/linkerd-crds-n linkerd
helm fetch --untar linkerd-edge/linkerd-control-plane
helm install linkerd-control-plane -n linkerd --set-file identityTrustAnchorsPEM=./ca.crt --set identity.issuer.scheme=kubernetes.io/tls -f linkerd-control-plane/values-ha.yaml linkerd-edge/linkerd-control-plane
linkerd check

Apply to Immuta deployment

kubectl get -n immuta deploy -o yaml| linkerd inject -| kubectl apply -f -

Validate tls identity on pods

linkerd identity -n immuta immuta-secure-web-795579f654-qtdnt

POD immuta-secure-web-795579f654-qtdnt (1 of 1)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
    Signature Algorithm: ECDSA-SHA256
        Issuer: CN=identity.linkerd.cluster.local
        Validity
            Not Before: Jun 25 20:26:20 2024 UTC
            Not After : Jun 26 20:27:00 2024 UTC
        Subject: CN=default.immuta.serviceaccount.identity.linkerd.cluster.local
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    6d:1d:05:cd:f8:c3:76:72:9a:d9:4c:19:48:ad:ee:
                    65:bd:1d:07:b7:76:a7:60:cf:8e:1c:c3:a8:ed:82:
                    02:c7
                Y:
                    63:b7:79:90:54:e7:de:cc:da:85:6f:f8:5f:f6:ea:
                    09:61:5c:6f:fe:5c:19:e0:a4:ee:ec:cc:40:d5:86:
                    83:58
                Curve: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier:
                keyid:AE:9F:F7:1B:A0:F1:A0:05:B9:10:18:F0:9E:2C:DA:23:D3:83:9C:6B
            X509v3 Subject Alternative Name:
                DNS:default.immuta.serviceaccount.identity.linkerd.cluster.local

    Signature Algorithm: ECDSA-SHA256
         30:46:02:21:00:e1:8f:64:dc:00:a5:04:0b:14:3f:41:4f:e8:
         cb:d0:00:61:9e:6a:51:77:d0:52:46:0b:af:50:c9:78:0f:06:
         38:02:21:00:d5:8e:c5:54:f4:48:f8:cd:18:48:7e:b5:d2:cb:
         fc:3f:16:33:98:9d:8b:c5:be:f4:82:e4:6c:97:9c:e0:94:92

PreviousIn-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)NextDeploying Linkerd via Open Source Linkerd