fix(cert-manager): Ensure there is at least one leaf certificate renewal when renewing the CA (#712)

tete17 · wozniakjan · web-flow · commit c445ec15dd43 · 2024-12-04T14:46:46.000+01:00
* fix(cert-manager): Ensure there is at least one leaf certificate renewal when renewing the CA

The renewBefore value for the root ca was simply too low barely giving the leaf certificate any time
to renew itself. This leads to the root ca expiring before the leaf certificates expires.

By removing the renewBefore values we go back to the 2/3 default and as long as the leaf certificate
is only valid for half of the root it should be fine.

Signed-off-by: Miguel Sacristán Izcue &lt;miguel_tete17@hotmail.com&gt;

* set default `renewBefore` for CA to one third of duration

Signed-off-by: Jan Wozniak &lt;wozniak.jan@gmail.com&gt;

---------

Signed-off-by: Miguel Sacristán Izcue &lt;miguel_tete17@hotmail.com&gt;
Signed-off-by: Jan Wozniak &lt;wozniak.jan@gmail.com&gt;
Co-authored-by: Jan Wozniak &lt;wozniak.jan@gmail.com&gt;
diff --git a/keda/templates/cert-manager/self-ca.yaml b/keda/templates/cert-manager/self-ca.yaml
@@ -13,8 +13,8 @@ spec:
   privateKey:
     algorithm: RSA
     size: 2048
-  duration: 8760h0m0s # 1 year
-  renewBefore: 720h0m0s # 1 month
+  duration: 43800h0m0s     # 5 years
+  renewBefore: 14600h0m0s  # 1.6 year, 1/3rd of the duration
   issuerRef:
     name: {{ .Values.operator.name }}-selfsigned-issuer
     kind: Issuer
