Allow automatic rotation of linkerd-trust-anchor CA

[uvNikita]

What problem are you trying to solve?

I'm trying to fully automate certificate management with cert-manager following this helpful guide by @mateiidavid : #7345 (comment)

In this case, linkerd-trust-anchor CA is created by cert-manager and it's public certificate is distributed using trust-manager's bundle into linkerd-identity-trust-roots configmap.

Everything works as expected as far as I can tell.

However, when linkerd-trust-anchor CA is rotated, and trust-manager distributes new linkerd-identity-trust-roots bundle, it doesn't look like linkerd picks it up.

It looks like I have to reload both linkerd control plane services, and all cluster workloads to pick up the new linkerd-identity-trust-roots.

How should the problem be solved?

I wonder if it would be possible to monitor changes in linkerd-identity-trust-roots config map and pick up new trusted bundle automatically?

Also, for workloads (linkerd-proxy), it looks like trust roots are picked up at start and can only be re-read by restarting the workloads. I wonder if they could query new bundle automatically too?

Please, correct me if I'm wrong in my assumptions here.

Any alternatives you've considered?

If understand correctly, there are two alternatives here:

• Generate original CA with a very long duration time (e.g. 10 years) to it doesn't get rotated by cert-manager
• Monitor linkerd-trust-anchor rotation and restart both linkerd control plane services and all workloads

How would users interact with this feature?

No response

Would you like to work on this feature?

None