Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cert-manager): Ensure there is at least one leaf certificate renewal when renewing the CA #712

Merged
merged 2 commits into from
Dec 4, 2024
Merged

fix(cert-manager): Ensure there is at least one leaf certificate renewal when renewing the CA #712

merged 2 commits into from
Dec 4, 2024

Conversation

tete17
Copy link
Contributor

@tete17 tete17 commented Nov 22, 2024

The renewBefore value for the root ca was simply too low barely giving the leaf certificate any time to renew itself. This leads to the root ca expiring before the leaf certificates expires.

By removing the renewBefore values we go back to the 2/3 default and as long as the leaf certificate is only valid for half of the root it should be fine.

Provide a description of what has been changed

Checklist

  • I have verified that my change is according to the deprecations & breaking changes policy
  • Commits are signed with Developer Certificate of Origin (DCO - learn more)
  • README is updated with new configuration values (if applicable) learn more
  • A PR is opened to update KEDA core (repo) (if applicable, ie. when deployment manifests are modified)

Fixes #710

@tete17 tete17 requested a review from a team as a code owner November 22, 2024 13:37
@tete17 tete17 mentioned this pull request Nov 22, 2024
Closed
2 tasks
wozniakjan
wozniakjan reviewed Nov 29, 2024
View reviewed changes
keda/README.md Outdated Show resolved Hide resolved
keda/templates/cert-manager/self-ca.yaml Outdated Show resolved Hide resolved
@tete17
fix(cert-manager): Ensure there is at least one leaf certificate rene…
ca8f2f4 
…wal when renewing the CA

The renewBefore value for the root ca was simply too low barely giving the leaf certificate any time
to renew itself. This leads to the root ca expiring before the leaf certificates expires.

By removing the renewBefore values we go back to the 2/3 default and as long as the leaf certificate
is only valid for half of the root it should be fine.

Signed-off-by: Miguel Sacristán Izcue <miguel_tete17@hotmail.com>
@wozniakjan
set default renewBefore for CA to one third of duration
84f9906 
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
@wozniakjan wozniakjan merged commit c445ec1 into kedacore:main Dec 4, 2024
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wozniakjan wozniakjan wozniakjan approved these changes

@zroubalik zroubalik zroubalik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Wrong Renew Before default values in cert-manager integrations leads to certificate expired
3 participants
@tete17 @zroubalik @wozniakjan