Enable the proxy-injector to configure LINKERD2_PROXY_IDENTITY_*_REFRESH #13136
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
What problem are you trying to solve?
When the linkerd controlplane becomes unavailable the proxies fail to refresh their certificate. If the controlplane is unavailable for a sufficiently large duration, the proxy certificate actually expires, which causes all communication from/to meshed pods to fail. This includes the connection to the identity service, so a new certificate cannot be acquired. When this happens all affected pods need to be identified and restarted.
How should the problem be solved?
Enable the proxy-injector to set the following environment variables based on it's configuration:
Both are already know to the proxy.
Any alternatives you've considered?
Currently, the lifetime of certificate by the identity service can be increased, but the certificate refresh is always scheduled at 70% of certificate lifetime. Depending one the required leeway certificate lifetimes increase significantly.
Lifetimes can be shortened again, when the refresh happens more often.
How would users interact with this feature?
Once the proxy-injector supports setting these environment variables, it would make sense to also expose the setting in the helm values.
Would you like to work on this feature?
maybe
The text was updated successfully, but these errors were encountered: