Cert expiration in helm chart for auto generated sp-validator, proxy-injector and tap

[twendt]

The helm chart uses a fixed cert expiration of 365 days for the proxy injector, sp-validator and tap. Does that mean that the cert has to be manually renewed after 365 days?

Here is the link to the code in the sp-validator helm template:

linkerd2/charts/linkerd2/templates/sp-validator-rbac.yaml

Line 45 in 5998728

{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}

[ihcsim]

Yes, the linkerd upgrade and helm upgrade commands can be used to renew those certs. See https://linkerd.io/2/tasks/rotating_webhooks_certificates/. Also, some folks in the community have been trying to put together steps on how to automate this with cert-manager.

[twendt]

Great, thank you. That was exactly the hint I was looking for.