Refreshing cert-manager certificates
Your product Certificate manager service automatically refreshes certificates that are going to expire.
- Automatically refreshing leaf certificates created from a CS certificate
- Manually refreshing your certificates
- Disable restarting your service when a certificate is refreshed
Automatically refreshing leaf certificates created from a CA certificate (foundational services version 3.6.4 and later)
Cert-manager may be used to create a CA certificate. The CA certificate may then be used to create a CA Issuer. The CA issuer may then be used to create leaf certificates that are signed with the CA certificate. The cert-manager service will automatically renew certificates it creates and has been extended from the community source project to also support refresh of leaf certificates created from a CA certificate when then that CA certificate is refreshed. This is supported by the ibm-cert-manager-operator. A CA certificate and namespace may be specified and leaf certificates based on the CA certificate will be refreshed.
For more information, see Certificate Management Service settings
Manually refreshing your certificates
Certificates that are generated by your product Certificate manager can be refreshed before your product Certificate manager tries to refresh them by following these steps:
-
Determine the name of the Secret associated with your certificate. This information can be found by using the
kubectl get certificate
command and noting the namespace and Secret name next to your certificate.kubectl get certificate --all-namespaces
-
Delete the Secret associated with the certificate you want to refresh.
kubectl delete secret <secret name> -n <namespace>
NOTE: Your product Certificate manager re-creates the Secret for that certificate and automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that certificate.
NOTE: When you refresh your certificate, you reset the
duration
andrenewBefore
values of your new certificate. Unless your new certificate specifies values for theduration
andrenewBefore
parameters, the following defaults are applied:duration
value of90
daysrenewBefore
value of30
days
-
Wait for all the services that use that Secret to restart.
Disable restarting your service when a certificate is refreshed
When you refresh a certificate by using your product Certificate manager service, it automatically restarts any Pods associated with any Deployment, StatefulSet, and DaemonSet that uses that Certificate.
You can disable this feature if you do not want your product Certificate manager to restart the Pods associated with your Deployment, StatefulSet, or DaemonSet.
To disable the feature, provide the annotation certmanager.k8s.io/disable-auto-restart: "true"
on your Kubernetes Deployment, StatefulSet, or DaemonSet yaml definition. For example,
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
annotations:
certmanager.k8s.io/disable-auto-restart: "true"
...
DISCLAIMER: When your product Certificate manager restarts your service, extra ReplicaSets are created. There can be old ReplicaSets that remain. To mitigate the problem of extra unused ReplicaSets, set the spec.revisionHistoryLimit
in your Deployment to a reasonable number. If the spec.revisionHistoryLimit
is not set, the default value is 10. For more information, see the Kubernetes documentation.