Create a script that can automatically update the needed certifications for Linkerd once they expire

If we aren’t using the Enterprise version of Linkerd, is there a way we could create a script to automate the renewal of the certifications that are needed to keep Linkerd running?

Or how could we extend the life of a certification so we wouldn’t need to renew it as often? And in order to set up or own certifications would we need to remove and reinstall Linkerd?

Hey Sabrina!

You can do either or both! I’d recommend looking at cert-manager as a tool and take a peak at some of our docs.

To be clear: it’s not possible to extend the life of a certificate without rotating it. But that’s OK, because rotating is the safer thing to do anyway. :slight_smile:

What’s the longest you can wait between rotates?

As long as you rotate before the certificate expires, you’re good. Best practice here is that you rotate about 2/3 of the way through the certificate’s life, to give yourself time to correct any problems.

For the auto rotate webhook certs, does that cover every certification thats needed? or does linkerd upgrade cover everything?

Please review the docs and set up certificate rotation in a test cluster. That will answer the remainder of your questions around certificate rotation. You can also review the cert-manager docs themselves for any additional cert-manager questions you have.

1 Like