VPA Certificate validity duration

[qqmelanie]

Hello,
First of all, thank you for your work!
We're using VPA chart and it would be very useful to have ability to set certificate validity duration.

At the moment certificates are valid for 365 days and it's an issue for long-lived clusters, even though extended validity can be a security concern.
We would love to submit a PR if you're interested in such changes.

Thanks.

charts/charts/vertical-pod-autoscaler/templates/admission-controller/tls-secret.yaml

Lines 3 to 6 in 6190d9e

	{{- $ca := genCA (include "vertical-pod-autoscaler.admissionController.fullname" .) 365 }}
	# {{- $cn := printf "%s.%s.svc" (include "vertical-pod-autoscaler.admissionController.fullname" .) .Release.Namespace }}
	{{- $cn := printf "%s.%s.svc" "vpa-webhook" .Release.Namespace }}
	{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }}

[sebastien-prudhomme]

Hi @qqmelanie, in these charts I try to copy what Bitnami is doing in their charts: https://github.com/bitnami/charts/tree/master/bitnami

Each time they need certificates they use a fixed value of 365 days for the default auto-signed certificate, that's the reason I also use 365 days.

For your need, what you can do is:

• generating your own certificates (CA and admission controller certificate) and configure admissionController.tls.* parameters (in PEM format)
• generating your own secret outside of the chart and use admissionController.tls.existingSecret. You can use a tool such as cert-manager if you have yet this tool: https://cert-manager.io/

The only requirement is to have a Common Name in the certificate with the admission controller service name : vpa-webhook.<namespace>.svc

[qqmelanie]

Hey! Got it, thanks. cert-manager is a great tool, but I thought there can be an easier way.
Anyway, thanks, I'm closing the issue.