Skip to content

Instantly share code, notes, and snippets.

@harrymitchinson
Created March 28, 2020 15:09
Show Gist options
  • Save harrymitchinson/ea252ebcc5170db0c48ae2a55ccd51d6 to your computer and use it in GitHub Desktop.
Save harrymitchinson/ea252ebcc5170db0c48ae2a55ccd51d6 to your computer and use it in GitHub Desktop.
Linkerd pulumi
const linkerdIdentityIssuer = new k8s.apiextensions.CustomResource(
"linkerd-identity-issuer",
{
apiVersion: "cert-manager.io/v1alpha2",
kind: "Certificate",
metadata: {
namespace: linkerdNamespace.metadata.name
},
spec: {
secretName: "linkerd-identity-issuer",
duration: "24h",
renewBefore: "1h",
issuerRef: {
name: linkerdTrustAnchorIssuer.metadata.name,
kind: "Issuer"
},
commonName: "identity.linkerd.cluster.local",
isCA: true,
keyAlgorithm: "ecdsa",
usages: ["cert sign", "crl sign", "server auth", "client auth"]
}
},
{
provider
}
);
// For the first install the linkerdIdentityIssuerSecret and linkerd chart must not be present.
const linkerdIdentityIssuerSecret = k8s.core.v1.Secret.get(
"linkerd-identity-issuer",
pulumi.interpolate`${linkerdNamespace.metadata.name}/${
linkerdIdentityIssuer.getInputs().spec.secretName
}`,
{
dependsOn: [linkerdIdentityIssuer]
provider
}
);
const linkerd = new k8s.helm.v3.Chart(
`linkerd2`,
{
chart: "linkerd2",
namespace: linkerdNamespace.metadata.name,
fetchOpts: {
repo: "https://helm.linkerd.io/stable"
},
values: {
global: {
identityTrustAnchorsPEM: linkerdIdentityIssuerSecret.data.apply(
(data: any) => Buffer.from(data["ca.crt"], "base64").toString("ascii")
)
},
identity: {
issuer: {
scheme: "kubernetes.io/tls"
}
},
installNamespace: false
}
},
{ provider, dependsOn: [linkerdIdentityIssuer] }
);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment