Refreshing leaf certificates (Installer)
Certificate chains in cert-manager follow the structure of:
Issuer -> Certificate -> Issuer -> Certificate
A Certificate can be a CA certificate by specifying isCA: true
in the Certificate spec section of the yaml file. By default, when a CA certificate is renewed, any downstream or leaf certificates signed by it are not renewed or refreshed.
The common-services-operator
provides an opt-in feature that will automatically refresh leaf certificates when its CA certificate is renewed.
To opt in:
-
Add the following label to the Certificate metadata,
ibm-common-services-operator/refresh-ca-chain: "true"
. For example:apiVersion: cert-manager.io/v1 kind: Certificate metadata: labels: ibm-common-services-operator/refresh-ca-chain: "true" name: example-ca-certificate spec: secretName: example-ca-certificate-secret issuerRef: name: example-issuer kind: Issuer commonName: example-ca-certificate isCA: true
Refreshing leaf certificates based on secret
In cases where the start of the Certificate chain is from a Kubernetes secret:
Secret -> Issuer -> Certificate
It is still possible to opt in for leaf certificate refresh. Possible use cases for such a structure are as follows:
- User-provided secret, which contain a certificate
- Copying a Certificate secret from another namespace
To opt in:
-
Add the following label to the Secret metadata,
ibm-common-services-operator/refresh-ca-chain: "true"
. For example:apiVersion: v1 kind: Secret metadata: labels: ibm-common-services-operator/refresh-ca-chain: "true" name: example-ca-secret type: kubernetes.io/tls data: ca.crt: <certificate> tls.crt: <certificate> tls.key: <private key>