Maintenance
Important
This information refers to the previous helm install method for the Obcerv Platform. If you are looking to install using the more streamlined Kubernetes Off-the-Shelf (KOTS) method, see the updated installation overview.
This page collects maintenance tasks that may need to be performed during the lifetime of an Obcerv installation.
Linkerd certificate rotation Copied
If Linkerd is installed as described in this section, the automatic rotation of issuer and root certificates is expected. However, the automatic rotation of root certificate is not fully supported by cert-manager at this time.
While cert-manager can rotate the root certificate using the configured duration
and renewBefore
parameters, it is important to note that the control plane must be restarted for the changes to take effect. To do this, run:
kubectl rollout restart -n linkerd deploy
Furthermore, a kubectl rollout restart is also required for all meshed workloads to ensure that their configurations are up-to-date.
Note
Theduration
andrenewBefore
parameters can be configured to extend to a minimum of 10 years, thereby establishing a longer-lived trust anchor.
If Linkerd is installed without automatic rotation, the certificates will expire after 365 days by default. You can follow these instructions to rotate the trust anchor before the certificates expire. Alternatively, you can perform a Linkerd upgrade so that control plane TLS credentials are automatically rotated in the setup.
Upgrade existing Linkerd installation Copied
To upgrade the already installed Linkerd and use a setup that automatically rotates control plane TLS credentials, apply the YAML manifest outlined in this section, and then upgrade the installation using the linkerd upgrade
command.
To upgrade Linkerd:
Kubernetes nodes running with Docker as the container runtime (CRI) require the init container to run as root for iptables. In this case, Linkerd must be installed via --set proxyInit.runAsRoot=true
.
linkerd upgrade \
--set identity.externalCA=true \
--set identity.issuer.scheme=kubernetes.io/tls \
| kubectl -n linkerd apply -f -
Once the upgrade is done, restarting the control plane is required so that everything in the control plane is configured to use the new trust anchor.
kubectl rollout restart -n linkerd deploy
Additionally, a rollout restart of meshed workloads is also required so that the new trust anchor is used.