From c445ec15dd4344fbd0348f407e26bcb357fedf88 Mon Sep 17 00:00:00 2001
From: Tete17 <miguel_tete17@hotmail.com>
Date: Wed, 4 Dec 2024 14:46:46 +0100
Subject: [PATCH] fix(cert-manager): Ensure there is at least one leaf
 certificate renewal when renewing the CA (#712)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(cert-manager): Ensure there is at least one leaf certificate renewal when renewing the CA

The renewBefore value for the root ca was simply too low barely giving the leaf certificate any time
to renew itself. This leads to the root ca expiring before the leaf certificates expires.

By removing the renewBefore values we go back to the 2/3 default and as long as the leaf certificate
is only valid for half of the root it should be fine.

Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com>

* set default `renewBefore` for CA to one third of duration

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>

---------

Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>
---
 keda/templates/cert-manager/self-ca.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/keda/templates/cert-manager/self-ca.yaml b/keda/templates/cert-manager/self-ca.yaml
index 7eb1f82b..d86a6f09 100644
--- a/keda/templates/cert-manager/self-ca.yaml
+++ b/keda/templates/cert-manager/self-ca.yaml
@@ -13,8 +13,8 @@ spec:
   privateKey:
     algorithm: RSA
     size: 2048
-  duration: 8760h0m0s # 1 year
-  renewBefore: 720h0m0s # 1 month
+  duration: 43800h0m0s     # 5 years
+  renewBefore: 14600h0m0s  # 1.6 year, 1/3rd of the duration
   issuerRef:
     name: {{ .Values.operator.name }}-selfsigned-issuer
     kind: Issuer