K
Q

cert manager - Duration and renewal process of my certificates

3/26/2019

I am working with cert-manager and kong-ingress-controller to enable https in kubernetes.

I am interested in figure out how is the renewal process, when I just using a ClusterIssuer and the certificate that it generate by default when we use the ingress resource.

I am not using the kind: Certificate resource, this means that I am not defining a X.509 custom certificate to be signed and obtain the certificate validated through the reference to my ClusterIssuer.

At the moment I've created a ClusterIssuer and one ingress resource, whose automatically creates one certificate named letsencrypt-prod which will be used for perform the http01 validation between cert-manager and letsencrypt CA

Finally, I have this output:

I0321 10:49:48.505664       1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-prod'
I0321 10:49:48.506008       1 conditions.go:143] Found status change for Certificate "letsencrypt-prod" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-03-21 10:49:48.506003434 +0000 UTC m=+168443.026129945
I0321 10:49:48.506571       1 sync.go:263] Certificate default/letsencrypt-prod scheduled for renewal in 1438h59m58.49343646s
I0321 13:57:46.226424       1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-prod"
I0321 15:12:53.199067       1 controller.go:178] ingress-shim controller: syncing item 'default/kong-ingress-service'
I0321 15:12:53.199171       1 sync.go:183] Certificate "letsencrypt-prod" for ingress "kong-ingress-service" is up to date

This means that my certificate will be renoved within 1438h-59m-58.49343646s. This means 3 months aproximately

This means, will be automatically renoved really?

such as indicated here:

The default duration for all certificates is 90 days and the default renewal windows is 30 days. This means that certificates are considered valid for 3 months and renewal will be attempted within 1 month of expiration.

The cert manager documentation say :

Although the duration and renewal periods are specified on the Certificate resources, the corresponding Issuer or ClusterIssuer must support this.

My Cluster Issuer is:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer 
metadata:
  name: letsencrypt-prod
spec:
 acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

How to can I manage the duration and renewBefore parameters if I am not creating a Certificate Resource. ?

According to this can I add the duration and renewBefore parameters in my ClusterIssuer? Maybe of this way?

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer 
metadata:
  name: letsencrypt-prod
spec:
 acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}
 # ...
 duration: 24h
 renewBefore: 12h
-- bgarcial
azure
azure-aks
azure-kubernetes
cert-manager
kubernetes

Similar Questions

Can't connect static ip to Ingress on GKE
How to see which node/pod served a Kubernetes Ingress request?
Update Node Selector field for PODs on the fly
How to expose a headless service for a StatefulSet cassandra cluster externally in Kubernetes
Flink 1.13.2 HA with K8s

1 Answer

3/26/2019

This is not supported on the issuers\clusterissuers, only on certificates. you can create a admission controllers to mutate certificates or you can have a cronjob to update certificate resources after they are created

-- 4c74356b41
Source: StackOverflow