Linkerd + cert-manager rotation notes

• Linkerd automatically rotates workload certs.
• Use externally managed issuer credentials for production when possible.
• Track expiry for trust anchor and issuer separately.
• Rehearse issuer rotation before the expiry window becomes urgent.
• Treat trust anchor rotation as a planned, high-risk change.