rustls: Configure the initial TLS client with trust roots (#1355)

2dd7bb8 changed how rustls configurations are constructed; but it didn't properly configure the default client configuration with the proxy's trust root. This enables the identity client to establish TLS connections with the identity controller during startup.
linkerd · Nov 5, 2021 · 824d784 · 824d784
1 parent bb26cdc
commit 824d784
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/linkerd/meshtls/rustls/src/creds.rs b/linkerd/meshtls/rustls/src/creds.rs
@@ -39,7 +39,12 @@ pub fn watch(
     let key = EcdsaKeyPair::from_pkcs8(params::SIGNATURE_ALG_RING_SIGNING, key_pkcs8)
         .map_err(InvalidKey)?;
 
-    let (client_tx, client_rx) = watch::channel(Arc::new(rustls::ClientConfig::new()));
+    let (client_tx, client_rx) = {
+        let mut c = rustls::ClientConfig::new();
+        c.root_store = roots.clone();
+        c.enable_tickets = false;
+        watch::channel(Arc::new(c))
+    };
     let (server_tx, server_rx) = watch::channel(Arc::new(rustls::ServerConfig::new(
         rustls::AllowAnyAnonymousOrAuthenticatedClient::new(roots.clone()),
     )));