You have to reinstall the Linkerd control plane to start using the root and intermediate certificates that you just generated using smallstep:
- Delete the current installation of the Linkerd control plane:
$ linkerd install --ignore-cluster | kubectl delete -f -
The Linkerd control plane interacts with proxies to provide/rotate the leaf certificates, through a third-party provider such as smallstep. Service Mesh doesn't have in-depth capabilities to provision/rotate leaf certificates at this time without a reinstall.
- Create a new Linkerd installation using trusted certificates:
$ linkerd install
--identity-trust-anchors-file /tmp/root-ca.crt
--identity-issuer-key-file /tmp/identity.key
--identity-issuer-certificate-file /tmp/identity.crt
--ignore-cluster | kubectl apply -f -
- Now, perform a Linkerd check:
$ linkerd check
Since we dropped and recreated Linkerd install, we need to create the ingress definitions to access the dashboard.
- Rerun the following commands:
$ cd ~/linkerd/scripts
$ kubectl -n linkerd apply -f 01-create-linkerd-ingress.yaml
ingress.extensions/linkerd created
- Check the TLS status of the traffic:
$ linkerd tap deploy -n linkerd-lab
...
rsp id=5:24 proxy=out src=192.168.230.238:43774 dst=192.168.230.206:7000 tls=true :status=303 latency=10830µs
end id=5:24 proxy=out src=192.168.230.238:43774 dst=192.168.230.206:7000 tls=true duration=26µs response-length=0B
...
You should see tls=true for live traffic.
- Press Ctrl + C to break the output.
In the preceding case, the certificate expiry time is 24 hours for the leaf certificates that the Linkerd identity CA generated for the Linkerd proxies running next to every microservice.
- Verify that by looking at the Linkerd identity logs:
$ kubectl -n linkerd -c identity -l linkerd.io/control-plane-component=identity logs
time="2019-08-10T15:35:45Z" level=info msg="certifying linkerd-proxy-injector.linkerd.serviceaccount.identity.linkerd.cluster.local until 2019-08-11 15:36:05 +0000 UTC"
The output from the log shows when the leaf certificates will expire—which is 24 hours.
- Next, validate the leaf certificate, and the linkerd-identity-issuer secret stores the key in the linkerd namespace:
$ kubectl -n linkerd get secret linkerd-identity-issuer -o jsonpath='{.data.crt.pem}' | base64 -d
- The preceding output matches /tmp/identity.crt:
$ kubectl -n linkerd get secret linkerd-identity-issuer -o jsonpath='{.data.key.pem}' | base64 -d
The output from the preceding will match /tmp/identity.key. This linkerd-identity-issuer secret needs to be updated before the certificate expires.