I am using cert-manager-v0.10.0 installed from its helm chart

I am using kong like ingress controller to manage the ingress operations.

So I have created a ClusterIssuer resource in order it could be contacted from an Ingress resource via kong-ingress controller.

The ClusterIssuer is this:

   apiVersion: certmanager.k8s.io/v1alpha1
   kind: ClusterIssuer
   metadata:
     name: letsencrypt-prod
   spec:
     acme:
       # The ACME server URL
       server: https://acme-v02.api.letsencrypt.org/directory
       # Email address used for ACME registration
       email: username@mydomain.org
       # Name of a secret used to store the ACME account private key
       privateKeySecretRef:
         name: letsencrypt-prod
       # Enable the HTTP-01 challenge provider
       solvers:
       - http01:
           ingress:
             class: kong

The ingress resource that I am using is this.

You can see here, that I am pointing it to the ClusterIssuer created previously and also I am pointing it to kong as an ingress controller, according to the kubernetes.io/ingress.class: "kong" annotation included there:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod # letsencrypt-staging
    kubernetes.io/ingress.class: "kong"
    plugins.konghq.com: swaggerapi-customer-production-basic-auth, swaggerapi-customer-production-acl
  name: production-customer-ingress-app
  # namespace: default
spec:
  rules:
  - host: appprod.mydomain.org
    http:
      paths:
      - backend:
          serviceName: customer-production-app
          servicePort: 80
        path: /comcustomerpr
  tls: # < placing a host in the TLS config will indicate a cert should be created
  - hosts:
    - appprod.mydomain.org
    secretName: letsencrypt-prod # < cert-manager will store the created certificate in this secret.

So, when I create the Ingress resource above, the secretName referenced above in my ingress is created and also a certificate resource with the same name ... that is letsencrypt-prod.

It will be the certificate resource which receive the LetsEncrypt validation successful process ...

I got TLS encryption and everything is OK here.

But now, I want to know how will be the renewal process. Because I am pretty sure at the moment this renewal certificate process it does not to happen automatically ...

I was reading something here https://docs.cert-manager.io/en/latest/reference/certificates.html?highlight=renewal#certificate-duration-and-renewal-window and this documentation says that is necessary attach to the certificate resource created (kind:Certificate) the spec.duration and spec.renewBefore attributes of this way

spec:
  secretName: example-tls
  duration: 24h
  renewBefore: 12h

If my certificate issued by LetsEncrypt has a 90 days as a default duration, how can I specify these spec.duration and spec.renewBefore attributes?

I want to get into in this concern, because my main question is I am not creating the certificate, it is created when the Ingress resource (above referenced) is executed.

How can I address the renewal process here with this approach that I am doing?

UPDATE

Do I need to create a specific kind:Certificate resource, referencing the secret that I got from LetsEncrypt?

I mean, something like this?

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: letsencrypt-prod
spec:
  secretName: letsencrypt-prod
  dnsNames:
  - mydomain.com
  acme:
    config:
    - http01:
        ingressClass: kong
      domains:
      - mydomain.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

I have the doubt here, because currently I am not getting the certificate renewal action