chore: migrate from rustls-pemfile to rustls-pki-types (#4487)

see https://github.com/rustls/pemfile/issues/61, and RUSTSEC-2025-0134. see also, https://github.com/olix0r/kubert/pull/432.

this branch updates the place where we invoke rustls_pemfile::certs inside of linkerd-meshtls and linkerd-app-integration.

see https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93 for a link to the original certs() function being replaced here:

 // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93
 pub fn certs(
     rd: &mut dyn io::BufRead,
 ) -> impl Iterator<Item = Result<CertificateDer<'static>, io::Error>> + '_ {
     iter::from_fn(move || read_one(rd).transpose()).filter_map(|item| match item {
         Ok(Item::X509Certificate(cert)) => Some(Ok(cert)),
         Err(err) => Some(Err(err)),
         _ => None,
     })
 }

 // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/pemfile.rs.html
 /// Extract and decode the next PEM section from `rd`.
 ///
 /// - Ok(None) is returned if there is no PEM section read from `rd`.
 /// - Underlying IO errors produce a `Err(...)`
 /// - Otherwise each decoded section is returned with a `Ok(Some(Item::...))`
 ///
 /// You can use this function to build an iterator, for example:
 /// `for item in iter::from_fn(|| read_one(rd).transpose()) { ... }`
 #[cfg(feature = "std")]
 pub fn read_one(rd: &mut dyn io::BufRead) -> Result<Option<Item>, io::Error> {
     Item::from_buf(rd).map_err(|err| match err {
         pem::Error::Io(io) => io,
         other => Error::from(other).into(),
     })
 }

in rustls_pki_types, we do this using the PemObject trait. this provides facilities to read PEM files through various interfaces, but pem_slice_iter() feels like the most natural fit here. this takes an in-memory &'a [u8] byte slice representing the contents of a PEM file, and returns an iterator yielding CertificateDer deserialized certificates.

that closely follows the same interface that certs() (above) presented us.

https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html#method.pem_slice_iter

refactor: rustls-pemfile is a workspace dependency

Signed-off-by: katelyn martin kate@buoyant.io

refactor: replace rustls-pemfile with rustls-pki-types

NB: code is not update here, only package manifests.

Signed-off-by: katelyn martin kate@buoyant.io

chore(meshtls): update rustls_pemfile::certs call

this commit updates the place where we invoke rustls_pemfile::certs inside of linkerd-meshtls.

see https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93 for a link to the original certs() function being replaced here:

 // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93
 pub fn certs(
     rd: &mut dyn io::BufRead,
 ) -> impl Iterator<Item = Result<CertificateDer<'static>, io::Error>> + '_ {
     iter::from_fn(move || read_one(rd).transpose()).filter_map(|item| match item {
         Ok(Item::X509Certificate(cert)) => Some(Ok(cert)),
         Err(err) => Some(Err(err)),
         _ => None,
     })
 }

 // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/pemfile.rs.html
 /// Extract and decode the next PEM section from `rd`.
 ///
 /// - Ok(None) is returned if there is no PEM section read from `rd`.
 /// - Underlying IO errors produce a `Err(...)`
 /// - Otherwise each decoded section is returned with a `Ok(Some(Item::...))`
 ///
 /// You can use this function to build an iterator, for example:
 /// `for item in iter::from_fn(|| read_one(rd).transpose()) { ... }`
 #[cfg(feature = "std")]
 pub fn read_one(rd: &mut dyn io::BufRead) -> Result<Option<Item>, io::Error> {
     Item::from_buf(rd).map_err(|err| match err {
         pem::Error::Io(io) => io,
         other => Error::from(other).into(),
     })
 }

that closely follows the same interface that certs() (above) presented us.

https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html#method.pem_slice_iter

Signed-off-by: katelyn martin kate@buoyant.io

chore(app/integration): update rustls_pemfile::certs calls

as with the previous commit, we update calls to rustls_pemfile::certs.

Signed-off-by: katelyn martin kate@buoyant.io

refactor: use AsRef<[u8]> for byte slices

this polishes some type signatures. CertificateDer::pem_slice_iter accepts a slice of bytes. we must, for various reasons such as dealing with our TestEnv system, sometimes hold our PEM data in the form of a UTF-8 string.

this commit uses AsRef to coerce types to a slice of bytes rather than presenting these parameters as &str string slices, which is needlessly specific.

Signed-off-by: katelyn martin kate@buoyant.io

refactor: rustls-webpki is a workspace dependency

this crate is related to rustls-pki-types, and the feature flags we set on rustls-webpki affects which flags are enabled on rustls-pki-types.

defining both as workspace dependencies should help make this relationship slightly more discoverable.

Signed-off-by: katelyn martin kate@buoyant.io

nit(app/integration): add rustls-pki-typess/std flag

strictly speaking, we need this feature flag.

it’s enabled for us already as part of linkerd-meshtls‘s dependency on the rustls-webpki/alloc flag, which linkerd-app-integration in turns depends on.

that said, it’s nice to be extra clear that we depend upon the std flag should that change in the future.

Signed-off-by: katelyn martin kate@buoyant.io

The Linkerd Proxy

linkerd2

This repo contains the transparent proxy component of Linkerd2. While the Linkerd2 proxy is heavily influenced by the Linkerd 1.X proxy, it comprises an entirely new codebase implemented in the Rust programming language.

This proxy’s features include:

Transparent, zero-config proxying for HTTP, HTTP/2, and arbitrary TCP protocols.
Automatic Prometheus metrics export for HTTP and TCP traffic;
Transparent, zero-config WebSocket proxying;
Automatic, latency-aware, layer-7 load balancing;
Automatic layer-4 load balancing for non-HTTP traffic;
Automatic Mutual TLS;
An on-demand diagnostic tap API.

This proxy is primarily intended to run on Linux in containerized environments like Kubernetes, though it may also work on other Unix-like systems (like macOS).

The proxy supports service discovery via DNS and the linkerd2 Destination gRPC API.

The Linkerd project is hosted by the Cloud Native Computing Foundation (CNCF).

Building the project

We use just-cargo which provide a thin wrapper around just and cargo.

We recommend that you use the included Dev Container to avoid setting up the complex development environment by hand.

Just

A justfile is provided to automate most build tasks. It provides the following recipes:

just build – Compiles the proxy on your local system using cargo
just test – Runs unit and integration tests on your local system using cargo
just docker – Builds a Docker container image that can be used for testing.

Cargo

Usually, Cargo, Rust’s package manager, is used to build and test this project. If you don’t have Cargo installed, we suggest getting it via https://rustup.rs/.

Devcontainer

A Devcontainer is provided for use with Visual Studio Code. It includes all of the tooling needed to build and test the proxy.

Repository Structure

This project is broken into many small libraries, or crates, so that components may be compiled & tested independently. The following crate targets are especially important:

linkerd2-proxy contains the proxy executable;
linkerd2-app-integration contains the proxy’s integration tests;
linkerd2-app bundles the linkerd2-app-inbound and linkerd2-app-outbound crates so that they may be run by the executable or integration tests.

Code of conduct

This project is for everyone. We ask that our users and contributors take a few minutes to review our code of conduct.

Security

We test our code by way of fuzzing and this is described in FUZZING.md.

A third party security audit focused on fuzzing Linkerd2-proxy was performed by Ada Logics in 2021. The full report can be found in the docs/reports/ directory.

License

Licensed under the Apache License, Version 2.0 (the “License”); you may not use these files except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.