1

I am working with cert-manager and kong-ingress-controller to enable https in kubernetes.

I am interested in figure out how is the renewal process, when I just using a ClusterIssuer and the certificate that it generate by default when we use the ingress resource.

I am not using the kind: Certificate resource, this means that I am not defining a X.509 custom certificate to be signed and obtain the certificate validated through the reference to my ClusterIssuer.

At the moment I've created a ClusterIssuer and one ingress resource, whose automatically creates one certificate named letsencrypt-prod which will be used for perform the http01 validation between cert-manager and letsencrypt CA

Finally, I have this output:

I0321 10:49:48.505664       1 controller.go:162] certificates controller: syncing item 'default/letsencrypt-prod'
I0321 10:49:48.506008       1 conditions.go:143] Found status change for Certificate "letsencrypt-prod" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2019-03-21 10:49:48.506003434 +0000 UTC m=+168443.026129945
I0321 10:49:48.506571       1 sync.go:263] Certificate default/letsencrypt-prod scheduled for renewal in 1438h59m58.49343646s
I0321 13:57:46.226424       1 controller.go:168] certificates controller: Finished processing work item "default/letsencrypt-prod"
I0321 15:12:53.199067       1 controller.go:178] ingress-shim controller: syncing item 'default/kong-ingress-service'
I0321 15:12:53.199171       1 sync.go:183] Certificate "letsencrypt-prod" for ingress "kong-ingress-service" is up to date

This means that my certificate will be renoved within 1438h-59m-58.49343646s. This means 3 months aproximately

This means, will be automatically renoved really?

such as indicated here:

The default duration for all certificates is 90 days and the default renewal windows is 30 days. This means that certificates are considered valid for 3 months and renewal will be attempted within 1 month of expiration.

The cert manager documentation say :

Although the duration and renewal periods are specified on the Certificate resources, the corresponding Issuer or ClusterIssuer must support this.

My Cluster Issuer is:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer 
metadata:
  name: letsencrypt-prod
spec:
 acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

How to can I manage the duration and renewBefore parameters if I am not creating a Certificate Resource. ?

According to this can I add the duration and renewBefore parameters in my ClusterIssuer? Maybe of this way?

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer 
metadata:
  name: letsencrypt-prod
spec:
 acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}
 # ...
 duration: 24h
 renewBefore: 12h
4c74356b41
  • 69,186
  • 6
  • 100
  • 141
bgarcial
  • 2,915
  • 10
  • 56
  • 123

1 Answers1

2

This is not supported on the issuers\clusterissuers, only on certificates. you can create a admission controllers to mutate certificates or you can have a cronjob to update certificate resources after they are created

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • How to can I create this admissions controllers? – bgarcial Mar 26 '19 at 13:26
  • as far as my understanding goes - you'd need to code for that, so like a program – 4c74356b41 Mar 26 '19 at 13:31
  • yes, of course, maybe do you have some example or point me in some direction to build it? – bgarcial Mar 26 '19 at 13:42
  • 1
    https://github.com/jbeda/tgik-controller i think this would be a great place to start. maybe this would help as well https://banzaicloud.com/blog/k8s-admission-webhooks/. but i havent done this, so cant really help, sorry – 4c74356b41 Mar 26 '19 at 13:54
  • Great! I have to follow that series. One question more please: Of anyway, at this moment in my current implementation described in my question, Does `cert-manager` take care of the certificate renewal process? – bgarcial Mar 26 '19 at 13:57
  • 1
    yes it does, you dont have to do anything, it will just recreate the cert for you (or at least attempt to) – 4c74356b41 Mar 26 '19 at 13:59
  • The `CronJob` approach is only used if I create a `kind: Certificate` resource? – bgarcial Mar 26 '19 at 14:17
  • 1
    i've never done that but you can use cronjob to run custom code on a schedule so that would work, with ingress resources it tracks certificate lifetime on its own and renews it – 4c74356b41 Mar 26 '19 at 14:18
  • Could you check [this question](https://stackoverflow.com/questions/57903159/cert-manager-certificate-renewal-process-how-it-is-performed) please? Evidently the certificate is not being recreated automatically by default.] – bgarcial Sep 12 '19 at 09:00