Automatic Certificate Rotation with cert-manager and Linkerd
Certificates expire. In a Kubernetes homelab with Linkerd service mesh, this means the identity issuer certificate needs renewal annually. Without automation, this becomes a manual task that’s easy to forget until mTLS breaks across the cluster. This post covers installing cert-manager on a bare-metal kubeadm cluster and configuring it to automatically rotate Linkerd’s identity issuer certificate. The Problem Linkerd uses a two-tier PKI: Certificate Purpose Default Lifetime Trust Anchor Root CA for the mesh 10 years Identity Issuer Signs proxy certificates 1 year The identity issuer expires annually. When it does, new proxy sidecars cannot obtain valid certificates, breaking mTLS. The trust anchor rarely needs rotation, but the identity issuer requires attention. ...