You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the linkerd controlplane becomes unavailable the proxies fail to refresh their certificate. If the controlplane is unavailable for a sufficiently large duration, the proxy certificate actually expires, which causes all communication from/to meshed pods to fail. This includes the connection to the identity service, so a new certificate cannot be acquired. When this happens all affected pods need to be identified and restarted.
How should the problem be solved?
Enable the proxy-injector to set the following environment variables based on it's configuration:
LINKERD2_PROXY_IDENTITY_MIN_REFRESH
LINKERD2_PROXY_IDENTITY_MAX_REFRESH
Both are already know to the proxy.
Any alternatives you've considered?
Currently, the lifetime of certificate by the identity service can be increased, but the certificate refresh is always scheduled at 70% of certificate lifetime. Depending one the required leeway certificate lifetimes increase significantly.
Lifetimes can be shortened again, when the refresh happens more often.
How would users interact with this feature?
Once the proxy-injector supports setting these environment variables, it would make sense to also expose the setting in the helm values.
Would you like to work on this feature?
maybe
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
What problem are you trying to solve?
When the linkerd controlplane becomes unavailable the proxies fail to refresh their certificate. If the controlplane is unavailable for a sufficiently large duration, the proxy certificate actually expires, which causes all communication from/to meshed pods to fail. This includes the connection to the identity service, so a new certificate cannot be acquired. When this happens all affected pods need to be identified and restarted.
How should the problem be solved?
Enable the proxy-injector to set the following environment variables based on it's configuration:
Both are already know to the proxy.
Any alternatives you've considered?
Currently, the lifetime of certificate by the identity service can be increased, but the certificate refresh is always scheduled at 70% of certificate lifetime. Depending one the required leeway certificate lifetimes increase significantly.
Lifetimes can be shortened again, when the refresh happens more often.
How would users interact with this feature?
Once the proxy-injector supports setting these environment variables, it would make sense to also expose the setting in the helm values.
Would you like to work on this feature?
maybe
The text was updated successfully, but these errors were encountered: