Add webhook cert auto-rotating

linkerd/init.sh

@@ -7,3 +7,22 @@ step-cli certificate create root.linkerd.cluster.local ca.crt ca.key \
     --namespace=linkerd &&
   yq e -i '.["linkerd-control-plane"].identityTrustAnchorsPEM=load_str("ca.crt")' values.yaml &&
   rm ca.crt ca.key
+
+step-cli certificate create webhook.linkerd.cluster.local webhook_ca.crt webhook_ca.key \
+  --profile root-ca --no-password --insecure --san webhook.linkerd.cluster.local &&
+  kubectl create secret tls \
+    webhook-issuer-tls \
+    --cert=webhook_ca.crt \
+    --key=webhook_ca.key \
+    --namespace=linkerd &&
+  kubectl create secret tls \
+    webhook-issuer-tls \
+    --cert=webhook_ca.crt \
+    --key=webhook_ca.key \
+    --namespace=linkerd-viz &&
+  yq e -i '.["linkerd-control-plane"].policyValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-control-plane"].proxyInjector.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-control-plane"].profileValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
+  yq e -i '.["linkerd-viz"].tap.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
+  yq e -i '.["linkerd-viz"].tapInjector.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
+  rm webhook_ca.crt webhook_ca.key