Enabling automatic refresh of CA signed certificates
Certificates are automatically renewed by the cert-manager-controller
pod, however, the renewal is based on the certificate's expiration time.
When a CA certificate is renewed, the certificates signed by the CA, such as the downstream or leaf certificates, are not automatically renewed by default.
To enable automatic refresh of CA signed certificates, add the ibm-cert-manager-operator/refresh-ca-chain: "true"
label to the CA certificate spec
section.
The following is an example of a CA certificate with the ibm-cert-manager-operator/refresh-ca-chain: "true"
label :
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hello-ca-tls
namespace: foobar
labels:
ibm-cert-manager-operator/refresh-ca-chain: "true"
spec:
secretName: hello-deployment-tls-ca-key-pair
isCA: true
issuerRef:
name: hello-myself-tls
kind: Issuer
dnsNames:
- foo1.bar1
By adding the refresh label, the CA certificate becomes flagged for cert-manager-operator
to renew all certificates that are signed by this CA.