Enabling automatic refresh of CA signed certificates
Certificates are automatically renewed by the
cert-manager-controller pod, however, the renewal is based on the certificate's expiration time.
When a CA certificate is renewed, the certificates signed by the CA, such as the downstream or leaf certificates, are not automatically renewed by default.
To enable automatic refresh of CA signed certificates, add the
ibm-cert-manager-operator/refresh-ca-chain: "true" label to the CA certificate
The following is an example of a CA certificate with the
ibm-cert-manager-operator/refresh-ca-chain: "true" label :
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: hello-ca-tls namespace: foobar labels: ibm-cert-manager-operator/refresh-ca-chain: "true" spec: secretName: hello-deployment-tls-ca-key-pair isCA: true issuerRef: name: hello-myself-tls kind: Issuer dnsNames: - foo1.bar1
By adding the refresh label, the CA certificate becomes flagged for
cert-manager-operator to renew all certificates that are signed by this CA.