fix(cert-manager): Ensure there is at least one leaf certificate rene…

…wal when renewing the CA (#712) * fix(cert-manager): Ensure there is at least one leaf certificate renewal when renewing the CA The renewBefore value for the root ca was simply too low barely giving the leaf certificate any time to renew itself. This leads to the root ca expiring before the leaf certificates expires. By removing the renewBefore values we go back to the 2/3 default and as long as the leaf certificate is only valid for half of the root it should be fine. Signed-off-by: Miguel Sacristán Izcue <[email protected]> * set default `renewBefore` for CA to one third of duration Signed-off-by: Jan Wozniak <[email protected]> --------- Signed-off-by: Miguel Sacristán Izcue <[email protected]> Signed-off-by: Jan Wozniak <[email protected]> Co-authored-by: Jan Wozniak <[email protected]>
kedacore · Dec 4, 2024 · c445ec1 · c445ec1
1 parent 3ad2830
commit c445ec1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/keda/templates/cert-manager/self-ca.yaml b/keda/templates/cert-manager/self-ca.yaml
@@ -13,8 +13,8 @@ spec:
   privateKey:
     algorithm: RSA
     size: 2048
-  duration: 8760h0m0s # 1 year
-  renewBefore: 720h0m0s # 1 month
+  duration: 43800h0m0s     # 5 years
+  renewBefore: 14600h0m0s  # 1.6 year, 1/3rd of the duration
   issuerRef:
     name: {{ .Values.operator.name }}-selfsigned-issuer
     kind: Issuer