refactor(rcgen): depend on rcgen via linkerd-rustls

cratelyn · cratelyn · commit 7905ccad21af · 2025-11-21T11:18:54.000-05:00
Signed-off-by: katelyn martin &lt;kate@buoyant.io&gt;
diff --git a/Cargo.lock b/Cargo.lock
@@ -2003,7 +2003,6 @@ dependencies = [
  "linkerd-tls",
  "linkerd-tls-test-util",
  "linkerd-tracing",
- "rcgen",
  "rustls-pemfile",
  "thiserror",
  "tokio",
@@ -2016,7 +2015,7 @@ version = "0.1.0"
 dependencies = [
  "linkerd-error",
  "linkerd-identity",
- "rcgen",
+ "linkerd-rustls",
  "tracing",
  "x509-parser",
 ]
@@ -2326,8 +2325,8 @@ dependencies = [
  "linkerd-exp-backoff",
  "linkerd-identity",
  "linkerd-proxy-http",
+ "linkerd-rustls",
  "linkerd-tonic-watch",
- "rcgen",
  "simple_asn1",
  "spiffe-proto",
  "thiserror",
@@ -2439,6 +2438,7 @@ dependencies = [
 name = "linkerd-rustls"
 version = "0.1.0"
 dependencies = [
+ "rcgen",
  "rustls-webpki",
  "tokio-rustls",
 ]
diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml
@@ -30,9 +30,9 @@ linkerd-tls-test-util = { path = "../tls/test-util", optional = true }
 [dev-dependencies]
 tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] }
 tracing = { workspace = true }
-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }
 
 linkerd-conditional = { path = "../conditional" }
 linkerd-proxy-transport = { path = "../proxy/transport" }
+linkerd-rustls = { path = "../rustls", features = ["test-util"] }
 linkerd-tls-test-util = { path = "../tls/test-util" }
 linkerd-tracing = { path = "../tracing", features = ["ansi"] }
diff --git a/linkerd/meshtls/tests/util.rs b/linkerd/meshtls/tests/util.rs
@@ -13,12 +13,12 @@ use linkerd_proxy_transport::{
     listen::{Addrs, Bind, BindTcp},
     ConnectTcp, Keepalive, UserTimeout,
 };
+use linkerd_rustls::rcgen::{BasicConstraints, CertificateParams, IsCa, Issuer, KeyPair, SanType};
 use linkerd_stack::{
     layer::Layer, service_fn, ExtractParam, InsertParam, NewService, Param, ServiceExt,
 };
 use linkerd_tls as tls;
 use linkerd_tls_test_util as test_util;
-use rcgen::{BasicConstraints, CertificateParams, IsCa, Issuer, KeyPair, SanType};
 use std::str::FromStr;
 use std::{
     net::SocketAddr,
diff --git a/linkerd/meshtls/verifier/Cargo.toml b/linkerd/meshtls/verifier/Cargo.toml
@@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" }
 
 
 [dev-dependencies]
-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }
+linkerd-rustls = { path = "../../rustls", features = ["test-util"] }
diff --git a/linkerd/meshtls/verifier/src/lib.rs b/linkerd/meshtls/verifier/src/lib.rs
@@ -58,7 +58,7 @@ mod tests {
     use crate::client_identity;
     use crate::verify_id;
     use linkerd_identity::Id;
-    use rcgen::{CertificateParams, KeyPair, SanType};
+    use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType};
 
     fn generate_cert_with_names(subject_alt_names: Vec<SanType>) -> Vec<u8> {
         let key = KeyPair::generate().expect("should generate key");
diff --git a/linkerd/proxy/spire-client/Cargo.toml b/linkerd/proxy/spire-client/Cargo.toml
@@ -23,4 +23,4 @@ asn1 = { version = "0.6", package = "simple_asn1" }
 thiserror = "2"
 
 [dev-dependencies]
-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }
+linkerd-rustls = { path = "../../rustls", features = ["test-util"] }
diff --git a/linkerd/proxy/spire-client/src/api.rs b/linkerd/proxy/spire-client/src/api.rs
@@ -220,7 +220,7 @@ where
 #[cfg(test)]
 mod tests {
     use crate::api::Svid;
-    use rcgen::{CertificateParams, KeyPair, SanType};
+    use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType};
     use spiffe_proto::client as api;
 
     fn gen_svid_pb(id: String, subject_alt_names: Vec<SanType>) -> api::X509svid {
diff --git a/linkerd/proxy/spire-client/src/lib.rs b/linkerd/proxy/spire-client/src/lib.rs
@@ -62,7 +62,7 @@ mod tests {
     use crate::api::Svid;
     use linkerd_error::Result;
     use linkerd_identity::DerX509;
-    use rcgen::{CertificateParams, KeyPair, SanType, SerialNumber};
+    use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType, SerialNumber};
     use std::time::SystemTime;
 
     fn gen_svid(id: Id, subject_alt_names: Vec<SanType>, serial: SerialNumber) -> Svid {
diff --git a/linkerd/rustls/Cargo.toml b/linkerd/rustls/Cargo.toml
@@ -10,6 +10,7 @@ publish = { workspace = true }
 default = ["tokio-rustls-0-26"]
 tokio-rustls-0-26 = ["dep:tokio-rustls-0-26"]
 rustls-aws-lc-fips = ["tokio-rustls-0-26?/fips"]
+test-util = ["dep:rcgen-0-14-5"]
 
 [dependencies]
 rustls-webpki = { version = "0.103.8", default-features = false, features = ["std", "aws-lc-rs"] }
@@ -20,3 +21,10 @@ version = "0.26"
 default-features = false
 features = ["aws-lc-rs", "logging"]
 optional = true
+
+[dependencies.rcgen-0-14-5]
+package = "rcgen"
+version = "0.14.5"
+default-features = false
+features = ["crypto", "pem", "aws_lc_rs"]
+optional = true
diff --git a/linkerd/rustls/src/lib.rs b/linkerd/rustls/src/lib.rs
@@ -23,6 +23,12 @@ pub fn get_default_provider() -> Arc<CryptoProvider> {
     Arc::clone(CryptoProvider::get_default().expect("Default crypto provider must be installed"))
 }
 
+#[cfg(feature = "test-util")]
+pub mod rcgen {
+    // TODO(kate): for now, solely work with 0.14.5.
+    pub use rcgen_0_14_5::*;
+}
+
 pub mod tokio_rustls {
     // TODO(kate): for now, solely work with 0.26.
 

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" }`
`15`	`15`
`16`	`16`
`17`	`17`	`[dev-dependencies]`
`18`		`-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }`
	`18`	`+linkerd-rustls = { path = "../../rustls", features = ["test-util"] }`