Role of the identityTrustAnchorsPEM Helm parameter when cert-manager CA injector is used

[sysarch-repo]

I can use the CA-injector of the cert-manager to insert the CA bundle in the config of the validating/mutating webhook used by the linkerd SP validator and proxy injector. Example:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: <name>
  namespace: <namespace>
  labels:
    ...
  annotations:
    cert-manager.io/inject-ca-from-secret: nti-security/cert-manager-linkerd-ca

I assume, there is no other use for the identityTrustAnchorsPEM Helm parameter across linkerd, or is the parameter utilized in other operations than defining the CA bundle in the webhook configs? If not, I could remove the CA cert from the install process completely - less deployment artifacts.

[alpeb]

The CA bundles in those webhooks are actually independent from the cert declared in identityTrustAnchorsPEM. The former is used to make TLS connections to the k8s API, whereas the latter serve as root to the certs used for mTLS connections between linkerd proxies.

You'll be able to remove identityTrustAnchorsPEM only as long as you provide your own through a linkerd-identity-trust-roots ConfigMap, but that won't be possible until stable-2.11

[sysarch-repo]

@alpeb thanks for your answer! As always, very helpful!

I now see what you mean with this special-purpose CA cert:
{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}

So with your answer, this is clear and I will use the cert-manager CA injector to inject the CA bundle in the webhook configs while still sourcing the identityTrustAnchorsPEM parameter in the deployment process. I see the proxy is using the data and - in 2.10.x - also the identity component as per:

env:
- name: LINKERD2_IDENTITY_TRUST_ANCHORS
  value: "YWJj"

Time to deploy linkerd now with all info I have needed in place. Thanks again!