{"id":"72b407d5-0207-4749-a312-bb1324147f54","task":"Deploy Linkerd control plane with mTLS and configure a ServiceProfile for per-route success rate metrics and retries","domain":"linkerd.io","steps":["Install the Linkerd CLI: curl --proto '=https' --tlsv1.2 -sSfL https://run.linkerd.io/install | sh and run linkerd check --pre to validate cluster prerequisites","Generate CA and issuer certificates with step or the Linkerd cert generation guide, then install the control plane with those certs: linkerd install --identity-trust-anchors-file ca.crt --identity-issuer-certificate-file issuer.crt --identity-issuer-key-file issuer.key | kubectl apply -f -","Inject the data plane into namespaces by adding the annotation linkerd.io/inject: enabled to the namespace or using linkerd inject: kubectl get deploy -n myapp -o yaml | linkerd inject - | kubectl apply -f -","Create a ServiceProfile for the target service specifying routes with name, condition (pathRegex or method), and optionally retryBudget and timeout per route","Apply the ServiceProfile: kubectl apply -f serviceprofile.yaml and observe per-route golden metrics in the Linkerd dashboard: linkerd viz dashboard","Verify mTLS is active for pod-to-pod traffic: linkerd viz edges deployment -n myapp — the SECURED column should show a lock icon for meshed connections"],"gotchas":["Linkerd's identity certificates have a 24-hour default validity; if the cert-manager or step issuer is not configured for automatic rotation, certificates will expire and meshed pods will lose mTLS connectivity","ServiceProfile retries apply only to requests that are classified as retryable (idempotent methods like GET by default); POSTs are not retried unless the ServiceProfile route explicitly sets isRetryable: true, which must only be set for truly idempotent endpoints","The Linkerd proxy is injected at pod creation time; existing pods must be restarted after adding the inject annotation to the namespace before they join the mesh"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:44.792Z"},"url":"https://mcp.waymark.network/r/72b407d5-0207-4749-a312-bb1324147f54"}