Skip to content

Commit

Permalink
certmanager: solve CannotRegenerateKey
Browse files Browse the repository at this point in the history 
`CertManager` throws a warning with the current Helm chart because the `.spec.privateKey.rotationPolicy` is unset.

```
  Type     Reason               Age   From                                   Message
  ----     ------               ----  ----                                   -------
  Warning  CannotRegenerateKey  12m   cert-manager-certificates-key-manager  User intervention required: existing private key in Secret "hubble-relay-client-certs" does not match requirements on Certificate resource, mismatching fields: [spec.privateKey.algorithm[], but cert-manager cannot create new private key as the Certificate's .spec.privateKey.rotationPolicy is unset or set to Never. To allow cert-manager to create a new private key you can set .spec.privateKey.rotationPolicy to 'Always' (this will result in the private key being regenerated every time a cert is renewed)
```

Signed-off-by: Samuel Lang <gh@lang-sam.de>
  • Loading branch information
@universam1
universam1 committed Oct 31, 2023
1 parent 4f08f6c commit c0d3b1f
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 0 deletions.
2 changes: 2 additions & 0 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,6 @@ spec:
dnsNames:
- "*.hubble-relay.cilium.io"
duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
privateKey:
rotationPolicy: Always
{{- end }}
2 changes: 2 additions & 0 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,6 @@ spec:
{{- end }}
{{- end }}
duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
privateKey:
rotationPolicy: Always
{{- end }}
2 changes: 2 additions & 0 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,6 @@ spec:
{{- end }}
{{- end }}
duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
privateKey:
rotationPolicy: Always
{{- end }}
2 changes: 2 additions & 0 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,6 @@ spec:
dnsNames:
- "*.hubble-ui.cilium.io"
duration: {{ printf "%dh0m0s" (mul .Values.hubble.tls.auto.certValidityDuration 24) }}
privateKey:
rotationPolicy: Always
{{- end }}

0 comments on commit c0d3b1f

Please sign in to comment.