duplicated copies of trust anchor certificate

[duxing]

What problem are you trying to solve?

I followed this guide to set up automatic control plane tls cert rotations and it's working as expected.
however, after linkerd-control-plane is installed, I noticed that the trust anchor certificate has multiple copies on k8s:

• kind: Secret (name: linkerd-trust-anchor) from this step
• kind: ConfigMap (name: linkerd-identity-trust-roots) from helm install/upgrade: --set-file identityTrustAnchorsPEM=<path_to_ca_cert>, which I believe lead to the creation of this ConfigMap object

How should the problem be solved?

Would it be possible to include a feature in the helm chart to allow reading trust anchor cert from an existing TLS-typed secret on k8s? or even generalize that to support "external trust anchor", fetching from a few different options, where existing k8s secret is one of them.

identityTrustAnchorsPEM will continue to be supported, I just want to ask more options to set it up.

Any alternatives you've considered?

going through the latest helm chart values, I don't see any options to specify an alternative way to pass in trust anchor other than using identityTrustAnchorsPEM.

pardon my limited knowledge on linkerd: I'm not 100% sure if this doable with the current version of linked chart, please correct me if I'm wrong.

How would users interact with this feature?

No response

Would you like to work on this feature?

None

[duxing]

@kflynn ty for the amazing guides! do you mind sharing your opinion on this?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.