Maintenance

This page collects maintenance tasks that may need to be performed during the lifetime of an Obcerv installation.

Linkerd certificate rotation Copied

If Linkerd is installed as described in this section, the automatic rotation of issuer and root certificates is expected. However, the automatic rotation of root certificate is not fully supported by cert-manager at this time.

While cert-manager can rotate the root certificate using the configured duration and renewBefore parameters, it is important to note that the control plane must be restarted for the changes to take effect. To do this, run:

kubectl rollout restart -n linkerd deploy

Furthermore, a kubectl rollout restart is also required for all meshed workloads to ensure that their configurations are up-to-date.

Note

The duration and renewBefore parameters can be configured to extend to a minimum of 10 years, thereby establishing a longer-lived trust anchor.

If Linkerd is installed without automatic rotation, the certificates will expire after 365 days by default. You can follow these instructions to rotate the trust anchor before the certificates expire. Alternatively, you can perform a Linkerd upgrade so that control plane TLS credentials are automatically rotated in the setup.

Upgrade existing Linkerd installation Copied

To upgrade the already installed Linkerd and use a setup that automatically rotates control plane TLS credentials, apply the YAML manifest outlined in this section, and then upgrade the installation using the linkerd upgrade command.

To upgrade Linkerd:

Kubernetes nodes running with Docker as the container runtime (CRI) require the init container to run as root for iptables. In this case, Linkerd must be installed via --set proxyInit.runAsRoot=true.

linkerd upgrade \
  --set identity.externalCA=true \
  --set identity.issuer.scheme=kubernetes.io/tls \
  | kubectl -n linkerd apply -f -

Once the upgrade is done, restarting the control plane is required so that everything in the control plane is configured to use the new trust anchor.

kubectl rollout restart -n linkerd deploy

Additionally, a rollout restart of meshed workloads is also required so that the new trust anchor is used.

["Obcerv"] ["User Guide"]

Was this topic helpful?