From 52e5b72f2e29667ed7638cc006f12425981af6b0 Mon Sep 17 00:00:00 2001
From: Hani Alshikh <39484930+HaniAlshikh@users.noreply.github.com>
Date: Wed, 7 Sep 2022 11:54:36 +0200
Subject: [PATCH] Change tls cert rotation policy to never and rotation docs
 (#236)

---
 .../helm/monoskope/templates/gateway/cert-auth.yaml  |  2 +-
 docs/operation/04-k8s-auth.md                        | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/build/package/helm/monoskope/templates/gateway/cert-auth.yaml b/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
index a90947b08..559eefce9 100644
--- a/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
+++ b/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
@@ -25,7 +25,7 @@ spec:
     - key encipherment
     - client auth
   privateKey:
-    rotationPolicy: Always
+    rotationPolicy: Never
     algorithm: RSA
     encoding: PKCS1
     size: 2048
diff --git a/docs/operation/04-k8s-auth.md b/docs/operation/04-k8s-auth.md
index 301183318..773b77565 100644
--- a/docs/operation/04-k8s-auth.md
+++ b/docs/operation/04-k8s-auth.md
@@ -106,3 +106,15 @@ Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCom
 ```
 
 You're good to go!
+
+## Certificate rotation
+
+The certificate used by Monoskope to sign and verify k8s tokens has a long expire date by design. 
+
+Rotating it can be done easily using the [cert-manager CLI](https://cert-manager.io/docs/reference/cmctl/#renew)
+
+```shell
+cmctl renew m8-monoskope-tls-cert
+```
+
+For more information see [here](https://cert-manager.io/docs/usage/certificate#actions-triggering-private-key-rotation)