Unable to update l5d-configmap without linkerd pod restarts


#1

Env: k8s on aws cloud

Scenario
Linkerd is serving TLS based external endpoints (external to k8s example, google.com). One of my certs got expired and I updated new certs with a new name too. So I have updated my l5d-configmap. But linkerd is not taking up those changes.

issue:
Linkerd is unable to pick up the changes being made to l5d-configmap.

Not sure if this behavior is expected.

How to reproduce:

  • install linkerd
  • make changes to l5d-configmap only ie; updating new cert for an endpoint under prefix

Example of updating the l5d-configmap:

Old config:

        - prefix: "/$/io.buoyant.rinet/8443/*"
          tls:
            trustCertsBundle: /io.buoyant/linkerd/healthcheckcerts/tomcat.pem
            commonName: "s3-linkerd-2.elb.amazonaws.com"
            clientAuth:
              certPath: /io.buoyant/linkerd/healthcheckcerts/client-cert.pem
              keyPath: /io.buoyant/linkerd/healthcheckcerts/client-key.pem

new config

        - prefix: "/$/io.buoyant.rinet/8443/*"
          tls:
            trustCertsBundle: /io.buoyant/linkerd/healthcheckcert/TOMCAT-NEW.pem
            commonName: "s3-linkerd-2.elb.amazonaws.com"
            clientAuth:
              certPath: /io.buoyant/linkerd/healthcheckcerts/client-cert.pem
              keyPath: /io.buoyant/linkerd/healthcheckcerts/client-key.pem
  • `kubectl apply -f l5d-configmap.yml
  • http_proxy=<l5d>:4140 curl -v http://my-endpoint:8443

Expected: 200 Success through linkerd
Actual: SSL error due to certificate expiry


#2

copying the slack chat here for consistency, @Alex

Linkerd only reads its config file on startup. so to pick up changes in the config file, you’ll need to restart the Linkerd process or pod
certs are reloaded for each new connection, I believe

Thanks.


#3

will it be possible to implement this feature? i.e; linked loading configmap changes without restarting the pods? just like linkerd is able to load new certs instantly from secrets without the pod restarts.