fix: chart: update cert-manager cert. duration (external-secrets#2986)

Update cert-manager certificate duration to 1 year in the Helm chart. This commit resolves a timing issue in the external-secrets Helm chart, where the default certificate duration was previously not explicitly set. This lack of specification led to conflicts with the cert-manager's lookahead interval. By setting the `webhook.certManager.cert.duration` to "8760h" (one year), we ensure that cert-manager will renew the certificate before the external-secrets webhook starts to report issues, and restarts, due to the certificate nearing expiration (as per the lookahead interval). This solution has been discussed in external-secrets#2519. Signed-off-by: Thibault Gérondal <tgerondal@emasphere.com> Signed-off-by: Sai Charan Godasi <saicharangodasi@Sais-MacBook-Air.local>
charan986 · Jan 22, 2024 · d978215 · d978215
1 parent dbdc875
commit d978215
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md
@@ -153,7 +153,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
 | webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
 | webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
-| webhook.certManager.cert.duration | string | `""` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec |
+| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
 | webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
 | webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
 | webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |

diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml
@@ -271,7 +271,8 @@ webhook:
         name: "my-issuer"
       # -- Set the requested duration (i.e. lifetime) of the Certificate. See
       # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
-      duration: ""
+      # One year by default.
+      duration: "8760h"
       # -- How long before the currently issued certificate’s expiry
       # cert-manager should renew the certificate. See
       # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec