Rotating webhooks certificates

Also, the viz extension uses a webhook to make pods tappable, as does the jaeger extension to turn on tracing on pods.

To secure the connections between the Kubernetes API server and the webhooks, all the webhooks are TLS-enabled. The x509 certificates used by these webhooks are issued by the self-signed CA certificates embedded in the webhooks configuration.

By default, these certificates have a validity period of 365 days. They are stored in the following secrets:

The rest of this documentation provides instructions on how to renew these certificates.

Manually delete these secrets and use /install to recreate them:

The above command will recreate the secrets without restarting Linkerd.

Note

For Helm users, use the helm upgrade command to recreate the deleted secrets.

Confirm that the secrets are recreated with new certificates:

Ensure that Linkerd remains healthy:

Restarting the pods that implement the webhooks and API services is usually not necessary. But if the cluster is large, or has a high pod churn, it may be advisable to restart the pods manually, to avoid cascading failures.

If you observe certificate expiry errors or mismatched CA certs, restart their pods with: