Trust anchor rotation
Trust anchor rotation is one of the most safety-critical and error-prone operational tasks for any Linkerd deployment. BEL provides a dedicated trust-rotation operator that automates almost every step of the workflow.
Manual rotating Linkerd’s trust anchor by hand follows a fragile sequence. The manual trust anchor rotation walkthrough spans roughly eight manual steps, every one of which has to land in the right order to avoid breaking mTLS across the cluster. Skipping a step, running it too early, or running it on the wrong cluster can silently lock out workloads or cause request failures that are difficult to diagnose.
The trust-rotation operator collapses that workflow into a single intentional trigger (renewing the identity issuer at the right moment), with the operator sequencing everything else and refusing to advance until each precondition has been observed.
BEL ships two components for trust rotation:
The trust-rotation operator, packaged as the
trust-rotation-operatorHelm chart (with a companion CRD chart). It runs in yourlinkerdnamespace, reconciles theTrustAnchorRotationresource, and exposes Prometheus metrics reflecting the current phase and convergence progress.The
linkerd-trustCLI, which installs as alinkerdextension. It provides three commands:linkerd trust bundlerenders the initiallinkerd-identity-trust-rootsConfigMap from cert-manager output, so you can bootstrap Linkerd before the operator is installed.linkerd trust inspectsummarizes the current rotation phase and reports which pods have not yet converged on the desired bundle or active issuer.linkerd trust checkverifies that cert-manager, the cert-manager- managed Linkerd resources, and the operator itself are all installed and healthy. It can also be invoked transparently vialinkerd check.
Known limitations
The current implementation targets single-cluster setups. Multicluster trust rotation is not yet available. Mesh-expansion deployments that rely on SPIRE still require manual coordination at the SPIRE side.