Linkerd upgrade fails when using an externalCA #15025
Description
What is the issue?
I have setup cert-manager along with the required trust-achor and identity issuer as described in the documentation. Then I installed the linkerd CRDs and finally installed the control plane via (edge-26.1.1):
linkerd install \
--ha \
--set proxy.metrics.hostnameLabels=true \
--set identity.externalCA=true \
--set identity.issuer.scheme=kubernetes.io/tls \
--set policyValidator.externalSecret=true \
--set policyValidator.injectCaFrom=cert-manager/webhook-ca \
--set proxyInjector.externalSecret=true \
--set proxyInjector.injectCaFrom=cert-manager/webhook-ca \
--set profileValidator.externalSecret=true \
--set profileValidator.injectCaFrom=cert-manager/webhook-ca \
--ignore-cluster
When I run the upgrade (edge-26.3.1), I get the following error:
% ./linkerd2-cli-edge-26.3.1-linux-amd64 upgrade
--identity-issuer-certificate-file must not be specified if --identity-external-issuer=true
The current version 26.1.1 is working fine with our app namespaces llinkerd inject enabled.
I have setup a second test EKS cluster and deployed everything from scratch and I get the same error.
How can it be reproduced?
I have setup a second test EKS cluster and deployed everything from scratch (cert-manager, certs, CRDs, control-plane). Everything is working fine, but runinng the upgarde command gives me the same error.
Logs, error output, etc
--identity-issuer-certificate-file must not be specified if --identity-external-issuer=true
output of linkerd check -o short
linkerd-identity
----------------
‼ issuer cert is valid for at least 60 days
issuer certificate will expire on 2026-03-11T16:31:18Z
see https://linkerd.io/2/checks/#l5d-identity-issuer-cert-not-expiring-soon for hints
linkerd-webhooks-and-apisvc-tls
-------------------------------
‼ proxy-injector cert is valid for at least 60 days
certificate will expire on 2026-03-11T16:31:18Z
see https://linkerd.io/2/checks/#l5d-proxy-injector-webhook-cert-not-expiring-soon for hints
‼ sp-validator cert is valid for at least 60 days
certificate will expire on 2026-03-11T16:31:17Z
see https://linkerd.io/2/checks/#l5d-sp-validator-webhook-cert-not-expiring-soon for hints
‼ policy-validator cert is valid for at least 60 days
certificate will expire on 2026-03-11T16:31:19Z
see https://linkerd.io/2/checks/#l5d-policy-validator-webhook-cert-not-expiring-soon for hints
control-plane-version
---------------------
‼ control plane is up-to-date
is running version 26.1.1 but the latest edge version is 26.3.1
see https://linkerd.io/2/checks/#l5d-version-control for hints
‼ control plane and cli versions match
control plane running edge-26.1.1 but cli running edge-26.3.1
see https://linkerd.io/2/checks/#l5d-version-control for hints
linkerd-control-plane-proxy
---------------------------
‼ control plane proxies are up-to-date
some proxies are not running the current version:
* linkerd-destination-79dd489695-dkw5w (edge-26.1.1)
* linkerd-destination-79dd489695-skkq2 (edge-26.1.1)
* linkerd-destination-79dd489695-xktvq (edge-26.1.1)
* linkerd-identity-77695c449d-9fnxw (edge-26.1.1)
* linkerd-identity-77695c449d-p5mmw (edge-26.1.1)
* linkerd-identity-77695c449d-wtq8d (edge-26.1.1)
* linkerd-proxy-injector-68bfc6ccbf-n4mg8 (edge-26.1.1)
* linkerd-proxy-injector-68bfc6ccbf-s2fk9 (edge-26.1.1)
* linkerd-proxy-injector-68bfc6ccbf-w72dm (edge-26.1.1)
see https://linkerd.io/2/checks/#l5d-cp-proxy-version for hints
‼ control plane proxies and cli versions match
linkerd-destination-79dd489695-dkw5w running edge-26.1.1 but cli running edge-26.3.1
see https://linkerd.io/2/checks/#l5d-cp-proxy-cli-version for hints
Environment
- k8s: 1.34
- Cluster: EKS
- host OS: amazon linux 2023
- linkerd version: edge-26.1.1
Possible solution
No response
Additional context
No response
Would you like to work on fixing this bug?
maybe