refactor(identity): move equality check into app (#4430)

* refactor(app/identity): TlsIdAndServerNameNotMatching is Clone

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(app/identity): EnvError: From<TlsIdAndServerNameNotMatching>

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(identity): move equality check into app

this addresses a long-standing todo comment in the linkerd-identity
library. this moves a bit of validation logic that confirms, when
running in the regular "Linkerd" mode, that the `id` field contains a
DNS name, and that `server_name` matches it.

Signed-off-by: katelyn martin <kate@buoyant.io>

* refactor(identity): EnvError::TlsIdAndServerNameNotMatching

Signed-off-by: katelyn martin <kate@buoyant.io>

* nit(app): address clippy `useless_conversion` lint

Signed-off-by: katelyn martin <kate@buoyant.io>

---------

Signed-off-by: katelyn martin <kate@buoyant.io>

Author: cratelyn

linkerd/app/src/env.rs

@@ -39,6 +39,8 @@ pub enum EnvError {
     NoDestinationAddress,
     #[error("no policy service configured")]
     NoPolicyAddress,
+    #[error("linkerd identity requires a TLS Id and server name to be the same")]
+    TlsIdAndServerNameNotMatching,
 }
 
 #[derive(Debug, Error, Eq, PartialEq)]
@@ -906,6 +908,13 @@ pub fn parse_config<S: Strings>(strings: &S) -> Result<super::Config, EnvError>
                 }
             },
             None => {
+                match (&tls.id, &tls.server_name) {
+                    (linkerd_app_core::identity::Id::Dns(id), sni) if id == sni => {}
+                    (_id, _sni) => {
+                        return Err(EnvError::TlsIdAndServerNameNotMatching);
+                    }
+                };
+
                 let (addr, certify) = parse_linkerd_identity_config(strings)?;
 
                 // If the address doesn't have a server identity, then we're on localhost.

linkerd/app/src/identity.rs

@@ -14,10 +14,6 @@ use std::{future::Future, pin::Pin, time::SystemTime};
 use tokio::sync::watch;
 use tracing::Instrument;
 
-#[derive(Debug, thiserror::Error)]
-#[error("linkerd identity requires a TLS Id and server name to be the same")]
-pub struct TlsIdAndServerNameNotMatching(());
-
 #[derive(Clone, Debug)]
 #[allow(clippy::large_enum_variant)]
 pub enum Config {
@@ -83,14 +79,7 @@ impl Config {
                 certify,
                 tls,
             } => {
-                // TODO: move this validation into env.rs
-                let name = match (&tls.id, &tls.server_name) {
-                    (Id::Dns(id), sni) if id == sni => id.clone(),
-                    (_id, _sni) => {
-                        return Err(TlsIdAndServerNameNotMatching(()).into());
-                    }
-                };
-
+                let name = tls.server_name.clone();
                 let certify = Certify::from(certify);
                 let (store, receiver, ready) = watch(tls, metrics.cert)?;