From 56f48a3e02cdaea3389a6be02d9b79a2aebc6917 Mon Sep 17 00:00:00 2001 From: katelyn martin Date: Mon, 17 Nov 2025 00:00:00 +0000 Subject: [PATCH 1/2] refactor(rustls): depend on `tokio-rustls` via `linkerd-rustls` Signed-off-by: katelyn martin --- Cargo.lock | 5 +--- Cargo.toml | 3 --- linkerd/app/integration/Cargo.toml | 16 ++++++------- linkerd/app/integration/src/client.rs | 4 ++-- linkerd/app/integration/src/identity.rs | 6 +++-- linkerd/app/integration/src/server.rs | 2 +- linkerd/app/outbound/Cargo.toml | 2 +- linkerd/app/outbound/src/tls/logical/tests.rs | 12 +++++----- linkerd/meshtls/Cargo.toml | 6 ++--- linkerd/meshtls/src/client.rs | 5 +++- linkerd/meshtls/src/creds.rs | 2 +- linkerd/meshtls/src/creds/receiver.rs | 2 +- linkerd/meshtls/src/creds/store.rs | 6 ++--- linkerd/meshtls/src/creds/verify.rs | 23 +++++++++++-------- linkerd/meshtls/src/server.rs | 5 +++- linkerd/rustls/Cargo.toml | 12 ++++++++-- linkerd/rustls/src/crypto.rs | 2 +- linkerd/rustls/src/lib.rs | 7 ++++++ 18 files changed, 70 insertions(+), 50 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 75da58e2f6..3db847f3e9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1541,7 +1541,6 @@ dependencies = [ "serde_json", "socket2 0.6.1", "tokio", - "tokio-rustls", "tokio-stream", "tonic", "tower", @@ -1577,6 +1576,7 @@ dependencies = [ "linkerd-opaq-route", "linkerd-proxy-client-policy", "linkerd-retry", + "linkerd-rustls", "linkerd-stack", "linkerd-tls-route", "linkerd-tonic-stream", @@ -1589,7 +1589,6 @@ dependencies = [ "prometheus-client", "thiserror", "tokio", - "tokio-rustls", "tokio-test", "tonic", "tower", @@ -2006,10 +2005,8 @@ dependencies = [ "linkerd-tracing", "rcgen", "rustls-pemfile", - "rustls-webpki", "thiserror", "tokio", - "tokio-rustls", "tracing", ] diff --git a/Cargo.toml b/Cargo.toml index df0c3d562d..3f6c0c1f41 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -110,9 +110,6 @@ prometheus-client = { version = "0.23" } prost = { version = "0.14" } prost-build = { version = "0.14", default-features = false } prost-types = { version = "0.14" } -tokio-rustls = { version = "0.26", default-features = false, features = [ - "logging", -] } tonic = { version = "0.14", default-features = false } tonic-prost = { version = "0.14", default-features = false } tonic-prost-build = { version = "0.14", default-features = false } diff --git a/linkerd/app/integration/Cargo.toml b/linkerd/app/integration/Cargo.toml index f0caf132e9..ef2dda59d2 100644 --- a/linkerd/app/integration/Cargo.toml +++ b/linkerd/app/integration/Cargo.toml @@ -25,25 +25,25 @@ http-body = { workspace = true } http-body-util = { workspace = true } hyper-util = { workspace = true, features = ["service"] } ipnet = "2" -linkerd-app = { path = "..", features = ["allow-loopback"] } -linkerd-app-core = { path = "../core" } -linkerd-app-test = { path = "../test" } -linkerd-meshtls = { path = "../../meshtls", features = ["test-util"] } -linkerd-metrics = { path = "../../metrics", features = ["test_util"] } -linkerd-rustls = { path = "../../rustls" } -linkerd-tracing = { path = "../../tracing" } maplit = "1" parking_lot = "0.12" regex = "1" rustls-pemfile = "2.2" socket2 = "0.6" tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] } -tokio-rustls = { workspace = true } tokio-stream = { version = "0.1", features = ["sync"] } tonic = { workspace = true, features = ["transport", "router"], default-features = false } tower = { workspace = true, default-features = false } tracing = { workspace = true } +linkerd-app = { path = "..", features = ["allow-loopback"] } +linkerd-app-core = { path = "../core" } +linkerd-app-test = { path = "../test" } +linkerd-meshtls = { path = "../../meshtls", features = ["test-util"] } +linkerd-metrics = { path = "../../metrics", features = ["test_util"] } +linkerd-rustls = { path = "../../rustls" } +linkerd-tracing = { path = "../../tracing" } + [dependencies.hyper] workspace = true features = [ diff --git a/linkerd/app/integration/src/client.rs b/linkerd/app/integration/src/client.rs index 11d39ad2b3..944c2b27db 100644 --- a/linkerd/app/integration/src/client.rs +++ b/linkerd/app/integration/src/client.rs @@ -1,10 +1,10 @@ use super::*; use http::{Request, Response}; use linkerd_app_core::{proxy::http::TokioExecutor, svc::http::BoxBody}; +use linkerd_rustls::tokio_rustls::rustls::{self, ClientConfig}; use parking_lot::Mutex; use std::io; use tokio::{net::TcpStream, task::JoinHandle}; -use tokio_rustls::rustls::{self, ClientConfig}; use tracing::info_span; type ClientError = hyper_util::client::legacy::Error; @@ -342,7 +342,7 @@ impl tower::Service for Conn { client_config, }) = tls { - let io = tokio_rustls::TlsConnector::from(client_config.clone()) + let io = linkerd_rustls::tokio_rustls::TlsConnector::from(client_config.clone()) .connect(name, io) .await?; Box::pin(io) as Pin> diff --git a/linkerd/app/integration/src/identity.rs b/linkerd/app/integration/src/identity.rs index dbf6ad9b1f..0cb8a33641 100644 --- a/linkerd/app/integration/src/identity.rs +++ b/linkerd/app/integration/src/identity.rs @@ -8,8 +8,10 @@ use std::{ }; use linkerd2_proxy_api::identity as pb; -use linkerd_rustls::get_default_provider; -use tokio_rustls::rustls::{self, server::WebPkiClientVerifier}; +use linkerd_rustls::{ + get_default_provider, + tokio_rustls::rustls::{self, server::WebPkiClientVerifier}, +}; use tonic as grpc; pub struct Identity { diff --git a/linkerd/app/integration/src/server.rs b/linkerd/app/integration/src/server.rs index 0099e84ef4..9312eaf7da 100644 --- a/linkerd/app/integration/src/server.rs +++ b/linkerd/app/integration/src/server.rs @@ -2,12 +2,12 @@ use super::app_core::svc::http::TokioExecutor; use super::*; use http::{Request, Response}; use linkerd_app_core::svc::http::BoxBody; +use linkerd_rustls::tokio_rustls::{rustls::ServerConfig, TlsAcceptor}; use std::{ io, sync::atomic::{AtomicUsize, Ordering}, }; use tokio::{net::TcpStream, task::JoinHandle}; -use tokio_rustls::{rustls::ServerConfig, TlsAcceptor}; pub fn new() -> Server { http2() diff --git a/linkerd/app/outbound/Cargo.toml b/linkerd/app/outbound/Cargo.toml index 08b7739971..6bbe2d901c 100644 --- a/linkerd/app/outbound/Cargo.toml +++ b/linkerd/app/outbound/Cargo.toml @@ -59,7 +59,6 @@ http-body-util = { workspace = true, features = ["channel"] } hyper = { workspace = true, features = ["http1", "http2"] } hyper-util = { workspace = true } tokio = { version = "1", features = ["macros", "sync", "time"] } -tokio-rustls = { workspace = true } tokio-test = "0.4" tower-test = { workspace = true } @@ -71,6 +70,7 @@ linkerd-meshtls = { path = "../../meshtls", features = [ "test-util", ] } linkerd-mock-http-body = { path = "../../mock/http-body" } +linkerd-rustls = { path = "../../rustls" } linkerd-stack = { path = "../../stack", features = ["test-util"] } linkerd-tracing = { path = "../../tracing", features = ["ansi"] } diff --git a/linkerd/app/outbound/src/tls/logical/tests.rs b/linkerd/app/outbound/src/tls/logical/tests.rs index dc7a677b7b..28a7146491 100644 --- a/linkerd/app/outbound/src/tls/logical/tests.rs +++ b/linkerd/app/outbound/src/tls/logical/tests.rs @@ -8,6 +8,11 @@ use linkerd_app_core::{ }; use linkerd_app_test::{AsyncReadExt, AsyncWriteExt}; use linkerd_proxy_client_policy::{self as client_policy, tls::sni}; +use linkerd_rustls::tokio_rustls::rustls::{ + internal::msgs::codec::{Codec, Reader}, + pki_types::DnsName, + InvalidMessage, +}; use parking_lot::Mutex; use std::{ collections::HashMap, @@ -18,11 +23,6 @@ use std::{ time::Duration, }; use tokio::sync::watch; -use tokio_rustls::rustls::{ - internal::msgs::codec::{Codec, Reader}, - pki_types::DnsName, - InvalidMessage, -}; mod basic; @@ -174,7 +174,7 @@ fn sni_route(backend: client_policy::Backend, sni: sni::MatchSni) -> client_poli // generates a sample ClientHello TLS message for testing fn generate_client_hello(sni: &str) -> Vec { - use tokio_rustls::rustls::{ + use linkerd_rustls::tokio_rustls::rustls::{ internal::msgs::{base::Payload, codec::Codec, message::PlainMessage}, ContentType, ProtocolVersion, }; diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml index 86b732d91a..f6f8e42bf6 100644 --- a/linkerd/meshtls/Cargo.toml +++ b/linkerd/meshtls/Cargo.toml @@ -7,16 +7,14 @@ edition = "2018" publish = { workspace = true } [features] -rustls-aws-lc-fips = ["tokio-rustls/fips"] +rustls-aws-lc-fips = ["linkerd-rustls/rustls-aws-lc-fips"] test-util = ["linkerd-tls-test-util"] [dependencies] futures = { version = "0.3", default-features = false } rustls-pemfile = "2.2" -rustls-webpki = { version = "0.103.8", default-features = false, features = ["std", "aws-lc-rs"] } thiserror = "2" tokio = { version = "1", features = ["macros", "rt", "sync"] } -tokio-rustls = { workspace = true, features = ["aws-lc-rs"] } tracing = { workspace = true } linkerd-dns-name = { path = "../dns/name" } @@ -37,4 +35,4 @@ rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "p linkerd-conditional = { path = "../conditional" } linkerd-proxy-transport = { path = "../proxy/transport" } linkerd-tls-test-util = { path = "../tls/test-util" } -linkerd-tracing = { path = "../tracing", features = ["ansi"] } \ No newline at end of file +linkerd-tracing = { path = "../tracing", features = ["ansi"] } diff --git a/linkerd/meshtls/src/client.rs b/linkerd/meshtls/src/client.rs index 00f59d50a3..7c91923abc 100644 --- a/linkerd/meshtls/src/client.rs +++ b/linkerd/meshtls/src/client.rs @@ -2,11 +2,14 @@ use futures::prelude::*; use linkerd_identity as id; use linkerd_io as io; use linkerd_meshtls_verifier as verifier; +use linkerd_rustls::tokio_rustls::{ + self, + rustls::{self, pki_types::CertificateDer, ClientConfig}, +}; use linkerd_stack::{NewService, Service}; use linkerd_tls::{client::AlpnProtocols, ClientTls, NegotiatedProtocol, NegotiatedProtocolRef}; use std::{convert::TryFrom, pin::Pin, sync::Arc, task::Context}; use tokio::sync::watch; -use tokio_rustls::rustls::{self, pki_types::CertificateDer, ClientConfig}; /// A `NewService` that produces `Connect` services from a dynamic TLS configuration. #[derive(Clone)] diff --git a/linkerd/meshtls/src/creds.rs b/linkerd/meshtls/src/creds.rs index 590852de02..b08506ece6 100644 --- a/linkerd/meshtls/src/creds.rs +++ b/linkerd/meshtls/src/creds.rs @@ -6,10 +6,10 @@ pub use self::{receiver::Receiver, store::Store}; use linkerd_dns_name as dns; use linkerd_error::Result; use linkerd_identity as id; +use linkerd_rustls::tokio_rustls::rustls; use std::sync::Arc; use thiserror::Error; use tokio::sync::watch; -use tokio_rustls::rustls::{self}; use tracing::warn; #[derive(Debug, Error)] diff --git a/linkerd/meshtls/src/creds/receiver.rs b/linkerd/meshtls/src/creds/receiver.rs index 07da53e0c3..aa55c6e0f4 100644 --- a/linkerd/meshtls/src/creds/receiver.rs +++ b/linkerd/meshtls/src/creds/receiver.rs @@ -1,9 +1,9 @@ use crate::{NewClient, Server}; use linkerd_dns_name as dns; use linkerd_identity::Id; +use linkerd_rustls::tokio_rustls::rustls; use std::sync::Arc; use tokio::sync::watch; -use tokio_rustls::rustls; /// Receives TLS config updates to build `NewClient` and `Server` types. #[derive(Clone)] diff --git a/linkerd/meshtls/src/creds/store.rs b/linkerd/meshtls/src/creds/store.rs index 5b1e23f271..e51c117ddd 100644 --- a/linkerd/meshtls/src/creds/store.rs +++ b/linkerd/meshtls/src/creds/store.rs @@ -2,14 +2,14 @@ use linkerd_dns_name as dns; use linkerd_error::Result; use linkerd_identity as id; use linkerd_meshtls_verifier as verifier; -use std::{convert::TryFrom, sync::Arc}; -use tokio::sync::watch; -use tokio_rustls::rustls::{ +use linkerd_rustls::tokio_rustls::rustls::{ self, pki_types::{PrivatePkcs8KeyDer, UnixTime}, server::WebPkiClientVerifier, sign::CertifiedKey, }; +use std::{convert::TryFrom, sync::Arc}; +use tokio::sync::watch; use tracing::debug; pub struct Store { diff --git a/linkerd/meshtls/src/creds/verify.rs b/linkerd/meshtls/src/creds/verify.rs index 3a522f6831..4f38d5e9e3 100644 --- a/linkerd/meshtls/src/creds/verify.rs +++ b/linkerd/meshtls/src/creds/verify.rs @@ -1,15 +1,20 @@ -use linkerd_rustls::SUPPORTED_SIG_ALGS; -use std::{convert::TryFrom, sync::Arc}; -use tokio_rustls::rustls::{ - self, - client::{ +use linkerd_rustls::{ + tokio_rustls::{ self, - danger::{ServerCertVerified, ServerCertVerifier}, + rustls::{ + self, + client::{ + self, + danger::{ServerCertVerified, ServerCertVerifier}, + }, + pki_types::{CertificateDer, ServerName, UnixTime}, + server::ParsedCertificate, + RootCertStore, + }, }, - pki_types::{CertificateDer, ServerName, UnixTime}, - server::ParsedCertificate, - RootCertStore, + SUPPORTED_SIG_ALGS, }; +use std::{convert::TryFrom, sync::Arc}; use tracing::trace; #[derive(Debug)] diff --git a/linkerd/meshtls/src/server.rs b/linkerd/meshtls/src/server.rs index 844830e1ee..923f0d5041 100644 --- a/linkerd/meshtls/src/server.rs +++ b/linkerd/meshtls/src/server.rs @@ -2,12 +2,15 @@ use futures::prelude::*; use linkerd_dns_name as dns; use linkerd_io as io; use linkerd_meshtls_verifier as verifier; +use linkerd_rustls::tokio_rustls::{ + self, + rustls::{pki_types::CertificateDer, ServerConfig}, +}; use linkerd_stack::{Param, Service}; use linkerd_tls::{ClientId, NegotiatedProtocol, NegotiatedProtocolRef, ServerName, ServerTls}; use std::{pin::Pin, sync::Arc, task::Context}; use thiserror::Error; use tokio::sync::watch; -use tokio_rustls::rustls::{pki_types::CertificateDer, ServerConfig}; use tracing::debug; /// A Service that terminates TLS connections using a dynamically updated server configuration. diff --git a/linkerd/rustls/Cargo.toml b/linkerd/rustls/Cargo.toml index 68cd4cd738..53ab01f075 100644 --- a/linkerd/rustls/Cargo.toml +++ b/linkerd/rustls/Cargo.toml @@ -7,8 +7,16 @@ edition = "2018" publish = { workspace = true } [features] -rustls-aws-lc-fips = ["tokio-rustls/fips"] +default = ["tokio-rustls-0-26"] +tokio-rustls-0-26 = ["dep:tokio-rustls-0-26"] +rustls-aws-lc-fips = ["tokio-rustls-0-26?/fips"] [dependencies] rustls-webpki = { version = "0.103.8", default-features = false, features = ["std", "aws-lc-rs"] } -tokio-rustls = { workspace = true, features = ["aws-lc-rs"] } \ No newline at end of file + +[dependencies.tokio-rustls-0-26] +package = "tokio-rustls" +version = "0.26" +default-features = false +features = ["aws-lc-rs", "logging"] +optional = true diff --git a/linkerd/rustls/src/crypto.rs b/linkerd/rustls/src/crypto.rs index e7f4b5a3b8..ddac6151ea 100644 --- a/linkerd/rustls/src/crypto.rs +++ b/linkerd/rustls/src/crypto.rs @@ -1,4 +1,4 @@ -use tokio_rustls::rustls::{ +use crate::tokio_rustls::rustls::{ self, crypto::{ aws_lc_rs::{self, default_provider as aws_lc_default_provider}, diff --git a/linkerd/rustls/src/lib.rs b/linkerd/rustls/src/lib.rs index 3a8add3976..b77db57728 100644 --- a/linkerd/rustls/src/lib.rs +++ b/linkerd/rustls/src/lib.rs @@ -22,3 +22,10 @@ pub fn get_default_provider() -> Arc { Arc::clone(CryptoProvider::get_default().expect("Default crypto provider must be installed")) } + +pub mod tokio_rustls { + // TODO(kate): for now, solely work with 0.26. + + #[cfg(feature = "tokio-rustls-0-26")] + pub use tokio_rustls_0_26::*; +} From 7905ccad21aff4e7d8a45bf744a34c2a96b190a3 Mon Sep 17 00:00:00 2001 From: katelyn martin Date: Mon, 17 Nov 2025 00:00:00 +0000 Subject: [PATCH 2/2] refactor(rcgen): depend on `rcgen` via `linkerd-rustls` Signed-off-by: katelyn martin --- Cargo.lock | 6 +++--- linkerd/meshtls/Cargo.toml | 2 +- linkerd/meshtls/tests/util.rs | 2 +- linkerd/meshtls/verifier/Cargo.toml | 2 +- linkerd/meshtls/verifier/src/lib.rs | 2 +- linkerd/proxy/spire-client/Cargo.toml | 2 +- linkerd/proxy/spire-client/src/api.rs | 2 +- linkerd/proxy/spire-client/src/lib.rs | 2 +- linkerd/rustls/Cargo.toml | 8 ++++++++ linkerd/rustls/src/lib.rs | 6 ++++++ 10 files changed, 24 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3db847f3e9..ab5c47c582 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2003,7 +2003,6 @@ dependencies = [ "linkerd-tls", "linkerd-tls-test-util", "linkerd-tracing", - "rcgen", "rustls-pemfile", "thiserror", "tokio", @@ -2016,7 +2015,7 @@ version = "0.1.0" dependencies = [ "linkerd-error", "linkerd-identity", - "rcgen", + "linkerd-rustls", "tracing", "x509-parser", ] @@ -2326,8 +2325,8 @@ dependencies = [ "linkerd-exp-backoff", "linkerd-identity", "linkerd-proxy-http", + "linkerd-rustls", "linkerd-tonic-watch", - "rcgen", "simple_asn1", "spiffe-proto", "thiserror", @@ -2439,6 +2438,7 @@ dependencies = [ name = "linkerd-rustls" version = "0.1.0" dependencies = [ + "rcgen", "rustls-webpki", "tokio-rustls", ] diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml index f6f8e42bf6..ced20951a5 100644 --- a/linkerd/meshtls/Cargo.toml +++ b/linkerd/meshtls/Cargo.toml @@ -30,9 +30,9 @@ linkerd-tls-test-util = { path = "../tls/test-util", optional = true } [dev-dependencies] tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] } tracing = { workspace = true } -rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] } linkerd-conditional = { path = "../conditional" } linkerd-proxy-transport = { path = "../proxy/transport" } +linkerd-rustls = { path = "../rustls", features = ["test-util"] } linkerd-tls-test-util = { path = "../tls/test-util" } linkerd-tracing = { path = "../tracing", features = ["ansi"] } diff --git a/linkerd/meshtls/tests/util.rs b/linkerd/meshtls/tests/util.rs index b5f033b4a8..536aae5e6f 100644 --- a/linkerd/meshtls/tests/util.rs +++ b/linkerd/meshtls/tests/util.rs @@ -13,12 +13,12 @@ use linkerd_proxy_transport::{ listen::{Addrs, Bind, BindTcp}, ConnectTcp, Keepalive, UserTimeout, }; +use linkerd_rustls::rcgen::{BasicConstraints, CertificateParams, IsCa, Issuer, KeyPair, SanType}; use linkerd_stack::{ layer::Layer, service_fn, ExtractParam, InsertParam, NewService, Param, ServiceExt, }; use linkerd_tls as tls; use linkerd_tls_test_util as test_util; -use rcgen::{BasicConstraints, CertificateParams, IsCa, Issuer, KeyPair, SanType}; use std::str::FromStr; use std::{ net::SocketAddr, diff --git a/linkerd/meshtls/verifier/Cargo.toml b/linkerd/meshtls/verifier/Cargo.toml index 1dc644aa2f..64a6549eb5 100644 --- a/linkerd/meshtls/verifier/Cargo.toml +++ b/linkerd/meshtls/verifier/Cargo.toml @@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" } [dev-dependencies] -rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] } +linkerd-rustls = { path = "../../rustls", features = ["test-util"] } diff --git a/linkerd/meshtls/verifier/src/lib.rs b/linkerd/meshtls/verifier/src/lib.rs index a2f319287b..a410af7fb4 100644 --- a/linkerd/meshtls/verifier/src/lib.rs +++ b/linkerd/meshtls/verifier/src/lib.rs @@ -58,7 +58,7 @@ mod tests { use crate::client_identity; use crate::verify_id; use linkerd_identity::Id; - use rcgen::{CertificateParams, KeyPair, SanType}; + use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType}; fn generate_cert_with_names(subject_alt_names: Vec) -> Vec { let key = KeyPair::generate().expect("should generate key"); diff --git a/linkerd/proxy/spire-client/Cargo.toml b/linkerd/proxy/spire-client/Cargo.toml index 7e3b03b52b..0edd9bc928 100644 --- a/linkerd/proxy/spire-client/Cargo.toml +++ b/linkerd/proxy/spire-client/Cargo.toml @@ -23,4 +23,4 @@ asn1 = { version = "0.6", package = "simple_asn1" } thiserror = "2" [dev-dependencies] -rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] } +linkerd-rustls = { path = "../../rustls", features = ["test-util"] } diff --git a/linkerd/proxy/spire-client/src/api.rs b/linkerd/proxy/spire-client/src/api.rs index bda890d744..b1c49c4319 100644 --- a/linkerd/proxy/spire-client/src/api.rs +++ b/linkerd/proxy/spire-client/src/api.rs @@ -220,7 +220,7 @@ where #[cfg(test)] mod tests { use crate::api::Svid; - use rcgen::{CertificateParams, KeyPair, SanType}; + use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType}; use spiffe_proto::client as api; fn gen_svid_pb(id: String, subject_alt_names: Vec) -> api::X509svid { diff --git a/linkerd/proxy/spire-client/src/lib.rs b/linkerd/proxy/spire-client/src/lib.rs index bcc0dab46b..b766cdab1e 100644 --- a/linkerd/proxy/spire-client/src/lib.rs +++ b/linkerd/proxy/spire-client/src/lib.rs @@ -62,7 +62,7 @@ mod tests { use crate::api::Svid; use linkerd_error::Result; use linkerd_identity::DerX509; - use rcgen::{CertificateParams, KeyPair, SanType, SerialNumber}; + use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType, SerialNumber}; use std::time::SystemTime; fn gen_svid(id: Id, subject_alt_names: Vec, serial: SerialNumber) -> Svid { diff --git a/linkerd/rustls/Cargo.toml b/linkerd/rustls/Cargo.toml index 53ab01f075..750408bd38 100644 --- a/linkerd/rustls/Cargo.toml +++ b/linkerd/rustls/Cargo.toml @@ -10,6 +10,7 @@ publish = { workspace = true } default = ["tokio-rustls-0-26"] tokio-rustls-0-26 = ["dep:tokio-rustls-0-26"] rustls-aws-lc-fips = ["tokio-rustls-0-26?/fips"] +test-util = ["dep:rcgen-0-14-5"] [dependencies] rustls-webpki = { version = "0.103.8", default-features = false, features = ["std", "aws-lc-rs"] } @@ -20,3 +21,10 @@ version = "0.26" default-features = false features = ["aws-lc-rs", "logging"] optional = true + +[dependencies.rcgen-0-14-5] +package = "rcgen" +version = "0.14.5" +default-features = false +features = ["crypto", "pem", "aws_lc_rs"] +optional = true diff --git a/linkerd/rustls/src/lib.rs b/linkerd/rustls/src/lib.rs index b77db57728..d7753fa39f 100644 --- a/linkerd/rustls/src/lib.rs +++ b/linkerd/rustls/src/lib.rs @@ -23,6 +23,12 @@ pub fn get_default_provider() -> Arc { Arc::clone(CryptoProvider::get_default().expect("Default crypto provider must be installed")) } +#[cfg(feature = "test-util")] +pub mod rcgen { + // TODO(kate): for now, solely work with 0.14.5. + pub use rcgen_0_14_5::*; +} + pub mod tokio_rustls { // TODO(kate): for now, solely work with 0.26.