31. 更换过期证书

如果您的任何 TLS 证书即将到期,并且您不依赖外部证书管理解决方案(例如 cert-manager), 则可以按照轮换您的身份证书来更新它们,而不会导致停机。 但是,如果您遇到任何证书已过期的情况,则您已经处于无效状态, 并且无法保证任何避免停机的措施都会产生结果。因此,最好继续用有效证书替换。

仅替换颁发者证书

可能是您的颁发者证书已过期。如果这是真的,运行 linkerd check --proxy 将产生类似于以下内容的输出:

linkerd-identity
----------------
√ certificate config is valid
√ trust roots are using supported crypto algorithm
√ trust roots are within their validity period
√ trust roots are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
× issuer cert is within its validity period
    issuer certificate is not valid anymore. Expired on 2019-12-19T09:21:08Z
    see https://linkerd.io/checks/#l5d-identity-issuer-cert-is-time-valid for hints

在这种情况下,如果您使用手动提供的 trust root 安装 Linkerd 并且您有它的 key, 您可以按照更新身份颁发者证书 来更新您的过期证书。

更换根证书和颁发者证书

如果您的根证书已过期或您没有其密钥,则需要同时替换您的根证书颁发者证书。 如果您的 root 已过期 linkerd check 将通过输出类似于以下内容的错误来指示:

linkerd-identity
----------------
√ certificate config is valid
√ trust roots are using supported crypto algorithm
× trust roots are within their validity period
    Invalid roots:
        * 272080721524060688352608293567629376512 identity.linkerd.cluster.local not valid anymore. Expired on 2019-12-19T10:05:31Z
    see https://linkerd.io/checks/#l5d-identity-roots-are-time-valid for hints

您可以按照生成您自己的 mTLS 根证书 来创建新的根证书颁发者证书。然后使用 linkerd upgrade 命令:

linkerd upgrade \
    --identity-issuer-certificate-file=./issuer-new.crt \
    --identity-issuer-key-file=./issuer-new.key \
    --identity-trust-anchors-file=./ca-new.crt \
    --force \
    | kubectl apply -f -

通常 upgrade 会阻止您使用不适用于网格化 Pod 正在使用的根的颁发者证书。 那时我们不需要此检查,因为我们同时更新根证书颁发者证书。 因此我们使用 --force flag 来忽略这个错误。

如果您运行 linkerd check --proxy 您可能会看到一些警告,同时正在执行升级过程:

linkerd-identity
----------------
√ certificate config is valid
√ trust roots are using supported crypto algorithm
√ trust roots are within their validity period
√ trust roots are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust root

linkerd-identity-data-plane
---------------------------
‼ data plane proxies certificate match CA
    Some pods do not have the current trust bundle and must be restarted:
        * linkerd/linkerd-controller-5b69fd4fcc-7skqb
        * linkerd/linkerd-destination-749df5c74-brchg
        * linkerd/linkerd-grafana-6dcf86b74b-vvxjq
        * linkerd/linkerd-prometheus-74cb4f4b69-kqtss
        * linkerd/linkerd-proxy-injector-cbd5545bd-rblq5
        * linkerd/linkerd-sp-validator-6ff949649f-gjgfl
        * linkerd/linkerd-tap-7b5bb954b6-zl9w6
        * linkerd/linkerd-web-84c555f78-v7t44
    see https://linkerd.io/checks/#l5d-identity-data-plane-proxies-certs-match-ca for hints

此外,您可以使用 kubectl rollout restart 命令更新其他注入资源的配置, 然后 check 命令应该停止产生警告或错误:

linkerd-identity
----------------
√ certificate config is valid
√ trust roots are using supported crypto algorithm
√ trust roots are within their validity period
√ trust roots are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust root

linkerd-identity-data-plane
---------------------------
√ data plane proxies certificate match CA