Automatically Rotating Webhook TLS Credentials

    By default, when Linkerd is installed with the Linkerd CLI or with the Linkerd Helm chart, TLS credentials are automatically generated for all of the webhooks. If these certificates expire or need to be regenerated for any reason, performing a Linkerd upgrade (using the Linkerd CLI or using Helm) will regenerate them.

    This workflow is suitable for most users. However, if you need these webhook certificates to be rotated automatically on a regular basis, it is possible to use cert-manager to automatically manage them.

    As a first step, and create the namespace that cert-manager will use to store its webhook-related resources. For simplicity, we suggest the default Linkerd control plane namespace:

    Save the signing key pair as a Secret

    Next, we will use the tool, to create a signing key pair which will be used to sign each of the webhook certificates:

    1. step certificate create webhook.linkerd.cluster.local ca.crt ca.key \
    2.   --profile root-ca --no-password --insecure --san webhook.linkerd.cluster.local &&
    3.   kubectl create secret tls \
    4.    webhook-issuer-tls \
    5.    --cert=ca.crt \
    6.    --key=ca.key \
    7.    --namespace=linkerd

    Issuing certificates and writing them to a secret

    Finally, we can create cert-manager “Certificate” resources which use the Issuer to generate the desired certificates:

    1. cat <<EOF | kubectl apply -f -
    2. apiVersion: cert-manager.io/v1alpha3
    3. kind: Certificate
    4. metadata:
    5.   name: linkerd-proxy-injector
    6.   namespace: linkerd
    7. spec:
    8.   secretName: linkerd-proxy-injector-k8s-tls
    9.   duration: 24h
    10.   issuerRef:
    11.     name: webhook-issuer
    12.     kind: Issuer
    13.   commonName: linkerd-proxy-injector.linkerd.svc
    15.   keyAlgorithm: ecdsa
    16.   usages:
    17.   - server auth
    18. ---
    19. apiVersion: cert-manager.io/v1alpha3
    20. kind: Certificate
    21. metadata:
    22.   name: linkerd-sp-validator
    23.   namespace: linkerd
    24. spec:
    25.   secretName: linkerd-sp-validator-k8s-tls
    26.   duration: 24h
    27.   renewBefore: 1h
    28.   issuerRef:
    29.     name: webhook-issuer
    30.     kind: Issuer
    31.   commonName: linkerd-sp-validator.linkerd.svc
    32.   keyAlgorithm: ecdsa
    33.   usages:
    34.   - server auth
    36. apiVersion: cert-manager.io/v1alpha3
    37. kind: Certificate
    38. metadata:
    39.   name: linkerd-tap
    40.   namespace: linkerd
    41. spec:
    42.   secretName: linkerd-tap-k8s-tls
    43.   duration: 24h
    44.   renewBefore: 1h
    45.   issuerRef:
    46.     name: webhook-issuer
    47.     kind: Issuer
    48.   commonName: linkerd-tap.linkerd.svc
    49.   isCA: false
    50.   keyAlgorithm: ecdsa
    51.   usages:
    52.   - server auth
    53. EOF

    At this point, cert-manager can now use these Certificate resources to obtain TLS credentials, which are stored in the linkerd-proxy-injector-k8s-tls, linkerd-sp-validator-k8s-tls, and linkerd-tap-k8s-tls secrets respectively.

    Now we just need to inform Linkerd to consume these credentials.

    To configure Linkerd to use the credentials from cert-manager rather than generating its own, we generate a supplemental config file:

      Installing with Helm

      For Helm installation, we can configure the Helm values directly:

      Note

      When installing Linkerd with Helm, you must also provide the issuer trust root and issuer credentials as described in Installing Linkerd with Helm.

      Note