Skip to content

Document webhook certificate renewal after system suspend#2181

Merged
cert-manager-prow[bot] merged 1 commit into
cert-manager:release-nextfrom
wallrj-cyberark:8464-webhook-renewal-docs
Jun 29, 2026
Merged

Document webhook certificate renewal after system suspend#2181
cert-manager-prow[bot] merged 1 commit into
cert-manager:release-nextfrom
wallrj-cyberark:8464-webhook-renewal-docs

Conversation

@wallrj-cyberark

@wallrj-cyberark wallrj-cyberark commented Jun 29, 2026

Copy link
Copy Markdown
Member

Preview:

Pull Request Motivation

cert-manager/cert-manager#8464 fixes a bug where the webhook serving certificate
is not renewed after system suspend (S3/S4) or VM live migration. This PR adds
documentation for the fix ahead of the 1.21 release.

Changes

  • Release notes (release-notes-1.21.md): add a Major Themes entry
    explaining the bug (monotonic clock stops during suspend, one-shot timer never
    fires) and the fix (periodic ticker polling wall-clock time). Add a Bug or
    Regression changelog entry.
  • Webhook concepts (concepts/webhook.md): note that since 1.21, automatic
    renewal is resilient to system suspend and VM live migration.
  • Webhook troubleshooting (troubleshooting/webhook.md): expand the
    previously stub "x509: certificate has expired" section with the system suspend
    root cause, upgrade path, and restart workaround.

Testing

Visual review of the three modified pages.

@cert-manager-prow cert-manager-prow Bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 29, 2026
@netlify

netlify Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploy Preview for cert-manager ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 3f1117c
🔍 Latest deploy log https://app.netlify.com/projects/cert-manager/deploys/6a42b37ffd2f7000089db5ed
😎 Deploy Preview https://deploy-preview-2181--cert-manager.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds documentation for the cert-manager 1.21 fix that ensures the webhook’s self-signed serving certificate renews correctly after system suspend (S3/S4) or VM live migration, preventing post-resume x509: certificate has expired or is not yet valid webhook failures.

Changes:

  • Expands webhook troubleshooting guidance for expired serving certificates with root cause, upgrade guidance, and a restart workaround.
  • Adds a “Major Themes” release-notes entry explaining the pre-1.21 failure mode and the 1.21 renewal behavior, plus a changelog bullet under “Bug or Regression”.
  • Updates webhook concepts documentation to note renewal resilience since 1.21.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
content/docs/troubleshooting/webhook.md Documents suspend/migration as a known cause of webhook serving cert expiry errors and provides remediation guidance.
content/docs/releases/release-notes/release-notes-1.21.md Adds a Major Themes narrative and a Bug/Regression changelog entry for the webhook renewal fix.
content/docs/concepts/webhook.md Notes that dynamic serving certificate renewal is resilient to suspend/migration starting in 1.21.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread content/docs/troubleshooting/webhook.md
Comment thread content/docs/releases/release-notes/release-notes-1.21.md
Add a Major Themes entry to the 1.21 release notes explaining the
webhook serving certificate renewal fix for system suspend and VM live
migration (cert-manager/cert-manager#8464).

Add a note to the webhook concepts page about the renewal resilience
improvement in 1.21.

Expand the troubleshooting section for "x509: certificate has expired"
with the system suspend root cause and the upgrade path.

Signed-off-by: Richard Wall <richard.wall@cyberark.com>
@wallrj-cyberark wallrj-cyberark force-pushed the 8464-webhook-renewal-docs branch from 40e431c to 3f1117c Compare June 29, 2026 18:03
@wallrj-cyberark wallrj-cyberark requested a review from wallrj June 29, 2026 18:03
@wallrj

wallrj commented Jun 29, 2026

Copy link
Copy Markdown
Member

/lgtm
/approve

@cert-manager-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 29, 2026
@cert-manager-prow cert-manager-prow Bot merged commit 845087a into cert-manager:release-next Jun 29, 2026
7 checks passed
@wallrj-cyberark wallrj-cyberark deleted the 8464-webhook-renewal-docs branch June 29, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants