How to change a value with Linkerd CLI?

According to the Linkerd doc:

Authority Label

For metrics with the direction=inbound label value, the authority label is omitted. This is done as a security measure to prevent malicious clients from being able to cause Linkerd to create an arbitrary number of metrics by sending requests with an arbitrary number of different authority values.

If this is not a concern in your environment, it is possible to re-enable the authority label on these metrics by setting an additional env value in Linkerd’s values.yml

proxy:
  additionalEnv:
    - name: LINKERD2_PROXY_INBOUND_METRICS_AUTHORITY_LABELS
      value: unsafe

However I have used Linkerd CLI for installation with this command:

linkerd install --ha --set identity.externalCA=true --set identity.issuer.scheme=kubernetes.io/tls | kubectl apply -f -

I have tried to upgrade linkerd with

linkerd upgrade --ha --set identity.externalCA=true --set identity.issuer.scheme=kubernetes.io/tls --set proxy.additionalEnv.LINKERD2_PROXY_INBOUND_METRICS_AUTHORITY_LABELS=unsafe | kubectl apply -f -

This gives:

–identity-issuer-certificate-file must not be specified if --identity-external-issuer=true

I am using an external identity issue but as you can see, my command does not specify “–identity-issuer-certificate-file”. What should I do here?

I had the same exact error message too and posting what I finally did to hopefully save someone else hours of troubleshooting. During the upgrade process linkerd was reading from the secret linkerd-config-overrides. Ours had the externalCA set to true but also still had certs defined in it. I deleted the certs after ‘scheme: kubernetes.io/tls’ and before ‘identityTrustAnchorsPEM:’ (Note: KEEP identityTrustAnchorsPEM cert). My snippet in my newly modified secret looked like:

identity:
externalCA: true
issuer:
scheme: kubernetes.io/tls
identityTrustAnchorsPEM: |

After making this change running linkerd upgrade worked