Enabling automatic refresh of CA signed certificates

Certificates are automatically renewed by the cert-manager-controller pod, however, the renewal is based on the certificate's expiration time.

When a CA certificate is renewed, the certificates signed by the CA, such as the downstream or leaf certificates, are not automatically renewed by default.

To enable automatic refresh of CA signed certificates, add the ibm-cert-manager-operator/refresh-ca-chain: "true" label to the CA certificate spec section.

The following is an example of a CA certificate with the ibm-cert-manager-operator/refresh-ca-chain: "true" label :

apiVersion: cert-manager.io/v1
kind: Certificate
  name: hello-ca-tls
  namespace: foobar
    ibm-cert-manager-operator/refresh-ca-chain: "true"
  secretName: hello-deployment-tls-ca-key-pair
  isCA: true
    name: hello-myself-tls
    kind: Issuer
  - foo1.bar1

By adding the refresh label, the CA certificate becomes flagged for cert-manager-operator to renew all certificates that are signed by this CA.