Refreshing cert-manager certificates
your product Certificate manager service automatically refreshes certificates that are going to expire.
- Manually refreshing your certificates
- Disable restarting your service when a certificate is refreshed
Manually refreshing your certificates
Certificates that are generated by your product Certificate manager can be refreshed before your product Certificate manager tries to refresh them by following these steps:
Determine the name of the Secret associated with your certificate. This information can be found by using the
kubectl get certificatecommand and noting the namespace and Secret name next to your certificate.
kubectl get certificate --all-namespaces
Delete the Secret associated with the certificate you want to refresh.
kubectl delete secret <secret name> -n <namespace>
NOTE: Your product Certificate manager re-creates the Secret for that certificate and automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that certificate.
NOTE: When you refresh your certificate, you reset the
renewBeforevalues of your new certificate. Unless your new certificate specifies values for the
renewBeforeparameters, the following defaults are applied:
Wait for all the services that use that Secret to restart.
Disable restarting your service when a certificate is refreshed
When you refresh a certificate by using your product Certificate manager service, it automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that Certificate.
You can disable this feature if you do not want your product Certificate manager to restart the Pods associated with your Deployment, StatefulSet, or DaemonSet.
To disable the feature, provide the annotation
certmanager.k8s.io/disable-auto-restart: "true" on your Kubernetes Deployment, StatefulSet, or DaemonSet yaml definition. For example,
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment annotations: certmanager.k8s.io/disable-auto-restart: "true" ...
DISCLAIMER: When your product Certificate manager restarts your service, extra ReplicaSets are created. There can be old ReplicaSets that remain. To mitigate the problem of extra unused ReplicaSets, set the
spec.revisionHistoryLimit in your Deployment to a reasonable number. If the
spec.revisionHistoryLimit is not set, the default value is 10. For more information, see the Kubernetes documentation.