cert-manager certificate always update when "helm install" command is executed.

[rafaelDev0ps]

I already searched in cert-manager docs about this behavior but I not found. I have cert-manager chart in my personal kubernetes configuration repository. The chart version is v1.3.0 and this version is running on my kubernetes cluster.

Bug description:
I have a pipeline integration in this repository and when some configuration is changed all the charts are applied again (including cert-manager chart). When the chart is applied again it updates the certificate (not renew) and the services that uses this certificate stop working.

My current certificate YAML template:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ .Values.certManager.clientCertDbs.secretName }}
  namespace: {{ .Values.certManager.clientCertDbs.namespace }}
spec:
  secretName: {{ .Values.certManager.clientCertDbs.secretName }}
  duration: 2880h # 120d
  renewBefore: 2160h # 90d
  subject:
    organizations:
    - MY_COMPANY
    organizationalUnits:
    - MY_COMPANY
    countries:
    - MY_COUNTRY
    localities: 
    - MY_CITY
    provinces: 
    - MY_PROVINCE
  emailAddresses:
  - blablabla@email.com
  commonName: {{ .Values.certManager.clientCertDbs.commonName }}
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - digital signature
    - client auth
  issuerRef:
    name: {{ .Values.certManager.clientCertDbs.issuer }}
    kind: ClusterIssuer
    group: cert-manager.io

Expected behaviour:

Should not update the certificate when run "helm install" command.

Steps to reproduce the bug:
1- Create a certificate using Helm
2- Run "helm install" command again

Anything else we need to know?:
A provisory solution is rollback restart the services that uses the certificate.

Environment details::

• Kubernetes version: 1.19
• Cloud-provider/provisioner: Oracle Cloud
• cert-manager version: 1.3
• Install method: helm

/kind bug

[irbekrm]

Hi, thanks for the issue!

When the chart is applied again it updates the certificate (not renew) and the services that uses this certificate stop working.

Do you mean the X.509 certificate stored in the Secret? Why would the services stop working (assuming a scenario where the Secret is i.e mounted to a pod)?

[rafaelDev0ps]

Hi @irbekrm, yes I'm using X.509 certificate. I don't know the cause of this behavior, secret is mounted inside the pod. I have Mongo stafefullset with TLS and the other pods that uses certificates also.

I generated two certificates.

• One CA selfsigned (for Mongo)
• One certificate (for clients)

Both have the same issuer.

To solve this I have to restart my Statefullset and my Pod.

[irbekrm]

Thanks for the extra info! We should look into this, but at the moment I don't really know how to reproduce it- if you have any ideas that would be very helpful.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ssiegel]

I had a similar issue, not using helm but the ansible k8s module, which always reported a “changed” state. For me the solution was to specify duration and renewBefore exactly as kubectl get would return it, here for example:

spec:
  duration: 2880h0m0s # 120d
  renewBefore: 2160h0m0s # 90d