ihcsim/upgrade.diff

## upgrade.diff
```diff
diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go
index e4b674a1..70be6450 100644
--- a/cli/cmd/upgrade.go
+++ b/cli/cmd/upgrade.go
@@ -6,13 +6,13 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"time"

 	"github.com/linkerd/linkerd2/pkg/config"

 	pb "github.com/linkerd/linkerd2/controller/gen/config"
 	charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2"
 	"github.com/linkerd/linkerd2/pkg/healthcheck"
+	"github.com/linkerd/linkerd2/pkg/issuercerts"
 	"github.com/linkerd/linkerd2/pkg/k8s"
 	"github.com/linkerd/linkerd2/pkg/tls"
 	"github.com/linkerd/linkerd2/pkg/version"
@@ -393,7 +393,7 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx
 	}

 	var trustAnchorsPEM string
-	var issuerData *issuerData
+	var issuerData *issuercerts.IssuerCertData
 	var err error

 	if options.identityOptions.trustPEMFile != "" {
@@ -422,94 +422,60 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx
 			Scheme:              idctx.Scheme,
 			ClockSkewAllowance:  idctx.GetClockSkewAllowance().String(),
 			IssuanceLifetime:    idctx.GetIssuanceLifetime().String(),
-			CrtExpiry:           issuerData.exp,
+			CrtExpiry:           *issuerData.Expiry,
 			CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation,
 			TLS: &charts.TLS{
-				KeyPEM: issuerData.key,
-				CrtPEM: issuerData.crt,
+				KeyPEM: issuerData.IssuerKey,
+				CrtPEM: issuerData.IssuerCrt,
 			},
 		},
 	}, nil
 }

-type issuerData struct {
-	key string
-	crt string
-	exp time.Time
-}
+func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuercerts.IssuerCertData, error) {

-func verifyCreds(creds *tls.Cred, trustAnchors, dns string) error {
-	roots, err := tls.DecodePEMCertPool(trustAnchors)
+	key, crt, err := issuercerts.LoadIssuerCrtAndKeyFromFiles(issuerKeyPath, issuerCrtPath)
 	if err != nil {
-		return err
+		return nil, err
 	}

-	if err := creds.Verify(roots, dns); err != nil {
-		return fmt.Errorf("invalid credentials: %s", err)
+	issuerData := &issuercerts.IssuerCertData{
+		TrustAnchors: trustPEM,
+		IssuerCrt:    crt,
+		IssuerKey:    key,
 	}
-	return nil
-}
-
-func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuerData, error) {
-	creds, err := tls.ReadPEMCreds(issuerKeyPath, issuerCrtPath)
-	if err != nil {
+	if _, err := issuerData.VerifyAndBuildCreds(""); err != nil {
 		return nil, err
 	}

-	if err := verifyCreds(creds, trustPEM, ""); err != nil {
-		return nil, fmt.Errorf("invalid issuer credentials: %s", err)
-	}
-
-	return &issuerData{
-		key: creds.EncodePrivateKeyPEM(),
-		crt: creds.EncodeCertificatePEM(),
-		exp: creds.Certificate.NotAfter,
-	}, nil
+	return issuerData, nil
 }

-func fetchIssuer(k kubernetes.Interface, trustPEM string, scheme string) (*issuerData, error) {
-	crtName := k8s.IdentityIssuerCrtName
-	keyName := k8s.IdentityIssuerKeyName
-
-	roots, err := tls.DecodePEMCertPool(trustPEM)
-	if err != nil {
-		return nil, err
-	}
+func fetchIssuer(k kubernetes.Interface, trustPEM string, scheme string) (*issuercerts.IssuerCertData, error) {
+	var (
+		issuerData *issuercerts.IssuerCertData
+		err        error
+	)

-	secret, err := k.CoreV1().
-		Secrets(controlPlaneNamespace).
-		Get(k8s.IdentityIssuerSecretName, metav1.GetOptions{})
+	kubeAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, 0)
 	if err != nil {
 		return nil, err
 	}
-	if scheme == string(corev1.SecretTypeTLS) {
-		crtName = corev1.TLSCertKey
-		keyName = corev1.TLSPrivateKeyKey
-	}

-	keyPEM := string(secret.Data[keyName])
-	key, err := tls.DecodePEMKey(keyPEM)
-	if err != nil {
-		return nil, err
+	switch scheme {
+	case string(corev1.SecretTypeTLS):
+		issuerData, err = issuercerts.FetchExternalIssuerData(kubeAPI, controlPlaneNamespace)
+	case "":
+		issuerData, err = issuercerts.FetchIssuerData(kubeAPI, trustPEM, controlPlaneNamespace)
 	}

-	crtPEM := string(secret.Data[crtName])
-	crt, err := tls.DecodePEMCrt(crtPEM)
+	cred, err := issuerData.VerifyAndBuildCreds("")
 	if err != nil {
 		return nil, err
 	}

-	cred := &tls.Cred{PrivateKey: key, Crt: *crt}
-	if err = cred.Verify(roots, ""); err != nil {
-		return nil, fmt.Errorf("invalid issuer credentials: %s", err)
-	}
-
-	return &issuerData{
-		key: keyPEM,
-		crt: crtPEM,
-		exp: crt.Certificate.NotAfter,
-	}, nil
-
+	issuerData.Expiry = &cred.Crt.Certificate.NotAfter
+	return issuerData, nil
 }

 // upgradeErrorf prints the error message and quits the upgrade process
diff --git a/pkg/issuercerts/issuercerts.go b/pkg/issuercerts/issuercerts.go
index c2543f96..e177c6d2 100644
--- a/pkg/issuercerts/issuercerts.go
+++ b/pkg/issuercerts/issuercerts.go
@@ -21,6 +21,7 @@ type IssuerCertData struct {
 	TrustAnchors string
 	IssuerCrt    string
 	IssuerKey    string
+	Expiry       *time.Time
 }

 // FetchIssuerData fetches the issuer data from the linkerd-identitiy-issuer secrets (used for linkerd.io/tls schemed secrets)
@@ -41,7 +42,7 @@ func FetchIssuerData(api *k8s.KubernetesAPI, trustAnchors, controlPlaneNamespace
 		return nil, fmt.Errorf(keyMissingError, k8s.IdentityIssuerKeyName, "issuer key", consts.IdentityIssuerSecretName, true)
 	}

-	return &IssuerCertData{trustAnchors, string(crt), string(key)}, nil
+	return &IssuerCertData{trustAnchors, string(crt), string(key), nil}, nil
 }

 // FetchExternalIssuerData fetches the issuer data from the linkerd-identitiy-issuer secrets (used for kubernetes.io/tls schemed secrets)
@@ -66,7 +67,7 @@ func FetchExternalIssuerData(api *k8s.KubernetesAPI, controlPlaneNamespace strin
 		return nil, fmt.Errorf(keyMissingError, corev1.TLSPrivateKeyKey, "issuer key", consts.IdentityIssuerSecretName, true)
 	}

-	return &IssuerCertData{string(anchors), string(crt), string(key)}, nil
+	return &IssuerCertData{string(anchors), string(crt), string(key), nil}, nil
 }

 // LoadIssuerCrtAndKeyFromFiles loads the issuer certificate and key from files
@@ -97,7 +98,7 @@ func LoadIssuerDataFromFiles(keyPEMFile, crtPEMFile, trustPEMFile string) (*Issu
 		return nil, err
 	}

-	return &IssuerCertData{string(anchors), crt, key}, nil
+	return &IssuerCertData{string(anchors), crt, key, nil}, nil
 }

 // CheckCertTimeValidity ensures the certificate is valid time - wise
```
	```diff
	diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go
	index e4b674a1..70be6450 100644
	--- a/cli/cmd/upgrade.go
	+++ b/cli/cmd/upgrade.go
	@@ -6,13 +6,13 @@ import (
	"fmt"
	"io/ioutil"
	"os"
	- "time"

	"github.com/linkerd/linkerd2/pkg/config"

	pb "github.com/linkerd/linkerd2/controller/gen/config"
	charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2"
	"github.com/linkerd/linkerd2/pkg/healthcheck"
	+ "github.com/linkerd/linkerd2/pkg/issuercerts"
	"github.com/linkerd/linkerd2/pkg/k8s"
	"github.com/linkerd/linkerd2/pkg/tls"
	"github.com/linkerd/linkerd2/pkg/version"
	@@ -393,7 +393,7 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx
	}

	var trustAnchorsPEM string
	- var issuerData *issuerData
	+ var issuerData *issuercerts.IssuerCertData
	var err error

	if options.identityOptions.trustPEMFile != "" {
	@@ -422,94 +422,60 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx
	Scheme: idctx.Scheme,
	ClockSkewAllowance: idctx.GetClockSkewAllowance().String(),
	IssuanceLifetime: idctx.GetIssuanceLifetime().String(),
	- CrtExpiry: issuerData.exp,
	+ CrtExpiry: *issuerData.Expiry,
	CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation,
	TLS: &charts.TLS{
	- KeyPEM: issuerData.key,
	- CrtPEM: issuerData.crt,
	+ KeyPEM: issuerData.IssuerKey,
	+ CrtPEM: issuerData.IssuerCrt,
	},
	},
	}, nil
	}

	-type issuerData struct {
	- key string
	- crt string
	- exp time.Time
	-}
	+func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuercerts.IssuerCertData, error) {

	-func verifyCreds(creds *tls.Cred, trustAnchors, dns string) error {
	- roots, err := tls.DecodePEMCertPool(trustAnchors)
	+ key, crt, err := issuercerts.LoadIssuerCrtAndKeyFromFiles(issuerKeyPath, issuerCrtPath)
	if err != nil {
	- return err
	+ return nil, err
	}

	- if err := creds.Verify(roots, dns); err != nil {
	- return fmt.Errorf("invalid credentials: %s", err)
	+ issuerData := &issuercerts.IssuerCertData{
	+ TrustAnchors: trustPEM,
	+ IssuerCrt: crt,
	+ IssuerKey: key,
	}
	- return nil
	-}
	-
	-func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuerData, error) {
	- creds, err := tls.ReadPEMCreds(issuerKeyPath, issuerCrtPath)
	- if err != nil {
	+ if _, err := issuerData.VerifyAndBuildCreds(""); err != nil {
	return nil, err
	}

	- if err := verifyCreds(creds, trustPEM, ""); err != nil {
	- return nil, fmt.Errorf("invalid issuer credentials: %s", err)
	- }
	-
	- return &issuerData{
	- key: creds.EncodePrivateKeyPEM(),
	- crt: creds.EncodeCertificatePEM(),
	- exp: creds.Certificate.NotAfter,
	- }, nil
	+ return issuerData, nil
	}

	-func fetchIssuer(k kubernetes.Interface, trustPEM string, scheme string) (*issuerData, error) {
	- crtName := k8s.IdentityIssuerCrtName
	- keyName := k8s.IdentityIssuerKeyName
	-
	- roots, err := tls.DecodePEMCertPool(trustPEM)
	- if err != nil {
	- return nil, err
	- }
	+func fetchIssuer(k kubernetes.Interface, trustPEM string, scheme string) (*issuercerts.IssuerCertData, error) {
	+ var (
	+ issuerData *issuercerts.IssuerCertData
	+ err error
	+ )

	- secret, err := k.CoreV1().
	- Secrets(controlPlaneNamespace).
	- Get(k8s.IdentityIssuerSecretName, metav1.GetOptions{})
	+ kubeAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, 0)
	if err != nil {
	return nil, err
	}
	- if scheme == string(corev1.SecretTypeTLS) {
	- crtName = corev1.TLSCertKey
	- keyName = corev1.TLSPrivateKeyKey
	- }

	- keyPEM := string(secret.Data[keyName])
	- key, err := tls.DecodePEMKey(keyPEM)
	- if err != nil {
	- return nil, err
	+ switch scheme {
	+ case string(corev1.SecretTypeTLS):
	+ issuerData, err = issuercerts.FetchExternalIssuerData(kubeAPI, controlPlaneNamespace)
	+ case "":
	+ issuerData, err = issuercerts.FetchIssuerData(kubeAPI, trustPEM, controlPlaneNamespace)
	}

	- crtPEM := string(secret.Data[crtName])
	- crt, err := tls.DecodePEMCrt(crtPEM)
	+ cred, err := issuerData.VerifyAndBuildCreds("")
	if err != nil {
	return nil, err
	}

	- cred := &tls.Cred{PrivateKey: key, Crt: *crt}
	- if err = cred.Verify(roots, ""); err != nil {
	- return nil, fmt.Errorf("invalid issuer credentials: %s", err)
	- }
	-
	- return &issuerData{
	- key: keyPEM,
	- crt: crtPEM,
	- exp: crt.Certificate.NotAfter,
	- }, nil
	-
	+ issuerData.Expiry = &cred.Crt.Certificate.NotAfter
	+ return issuerData, nil
	}

	// upgradeErrorf prints the error message and quits the upgrade process
	diff --git a/pkg/issuercerts/issuercerts.go b/pkg/issuercerts/issuercerts.go
	index c2543f96..e177c6d2 100644
	--- a/pkg/issuercerts/issuercerts.go
	+++ b/pkg/issuercerts/issuercerts.go
	@@ -21,6 +21,7 @@ type IssuerCertData struct {
	TrustAnchors string
	IssuerCrt string
	IssuerKey string
	+ Expiry *time.Time
	}

	// FetchIssuerData fetches the issuer data from the linkerd-identitiy-issuer secrets (used for linkerd.io/tls schemed secrets)
	@@ -41,7 +42,7 @@ func FetchIssuerData(api *k8s.KubernetesAPI, trustAnchors, controlPlaneNamespace
	return nil, fmt.Errorf(keyMissingError, k8s.IdentityIssuerKeyName, "issuer key", consts.IdentityIssuerSecretName, true)
	}

	- return &IssuerCertData{trustAnchors, string(crt), string(key)}, nil
	+ return &IssuerCertData{trustAnchors, string(crt), string(key), nil}, nil
	}

	// FetchExternalIssuerData fetches the issuer data from the linkerd-identitiy-issuer secrets (used for kubernetes.io/tls schemed secrets)
	@@ -66,7 +67,7 @@ func FetchExternalIssuerData(api *k8s.KubernetesAPI, controlPlaneNamespace strin
	return nil, fmt.Errorf(keyMissingError, corev1.TLSPrivateKeyKey, "issuer key", consts.IdentityIssuerSecretName, true)
	}

	- return &IssuerCertData{string(anchors), string(crt), string(key)}, nil
	+ return &IssuerCertData{string(anchors), string(crt), string(key), nil}, nil
	}

	// LoadIssuerCrtAndKeyFromFiles loads the issuer certificate and key from files
	@@ -97,7 +98,7 @@ func LoadIssuerDataFromFiles(keyPEMFile, crtPEMFile, trustPEMFile string) (*Issu
	return nil, err
	}

	- return &IssuerCertData{string(anchors), crt, key}, nil
	+ return &IssuerCertData{string(anchors), crt, key, nil}, nil
	}

	// CheckCertTimeValidity ensures the certificate is valid time - wise
	```