Refreshing cert-manager certificates

your product Certificate manager service automatically refreshes certificates that are going to expire.

Manually refreshing your certificates

Certificates that are generated by your product Certificate manager can be refreshed before your product Certificate manager tries to refresh them by following these steps:

  1. Determine the name of the Secret associated with your certificate. This information can be found by using the kubectl get certificate command and noting the namespace and Secret name next to your certificate.

     kubectl get certificate --all-namespaces

  2. Delete the Secret associated with the certificate you want to refresh.

     kubectl delete secret <secret name> -n <namespace>

    NOTE: Your product Certificate manager re-creates the Secret for that certificate and automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that certificate.

    NOTE: When you refresh your certificate, you reset the duration and renewBefore values of your new certificate. Unless your new certificate specifies values for the duration and renewBefore parameters, the following defaults are applied:

    • duration value of 90 days
    • renewBefore value of 30 days

  3. Wait for all the services that use that Secret to restart.

Disable restarting your service when a certificate is refreshed

When you refresh a certificate by using your product Certificate manager service, it automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that Certificate.

You can disable this feature if you do not want your product Certificate manager to restart the Pods associated with your Deployment, StatefulSet, or DaemonSet.

To disable the feature, provide the annotation certmanager.k8s.io/disable-auto-restart: "true" on your Kubernetes Deployment, StatefulSet, or DaemonSet yaml definition. For example,

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  annotations:
    certmanager.k8s.io/disable-auto-restart: "true"
...

DISCLAIMER: When your product Certificate manager restarts your service, extra ReplicaSets are created. There can be old ReplicaSets that remain. To mitigate the problem of extra unused ReplicaSets, set the spec.revisionHistoryLimit in your Deployment to a reasonable number. If the spec.revisionHistoryLimit is not set, the default value is 10. For more information, see the Kubernetes documentation.