(cert-manager) vault issuer: 'spec.renewBefore' and 'spec.duration'

lknite · June 28, 2024, 2:57pm

I’m working to set ‘renewBefore’ and ‘duration’.

I used kyverno, which uses a MutatingAdmissionWebhook to apply the ‘renewBefore’ and ‘duration’, when the cert-manager Certificate resource was first created.

However, the status of the certificate does not reflect these values, instead it looks like its using a default of 90 days duration.

Someone suggested maybe the ‘vault’ provider doesn’t support these settings?

Leaving kyverno out of the equation, according to the cert-manager documentation, I should be able to use kubectl to edit the Certificate resource and change the ‘spec.duration’, and expect the certificates to reissue. (but they don’t)

How can I accomplish my goal? Can I set these defaults on the vault side? Can I set these defaults in the Certificate?

Versions:
cert-manager: 1.14.6
vault: 1.15.4

lknite · June 28, 2024, 3:21pm

Answering my own question:

My difficulties all arose around the fact that a secret with TLS certs existed and were valid so none of the changes to the certificate were getting rid of those, but once deleted everything worked as expected, when the certs were issued everything was as expected.

Topic		Replies	Views
Vault-agent PKI: Higher renewal frequency than ttl Vault	1	462	August 9, 2022
How can I solve the following problem? Vault vault	7	4033	January 10, 2022
Vault behavior when server certificate changes/updates Vault	0	338	November 29, 2021
Reboot / new pod of vault necesarry for new certificate to be used Vault k8s	0	450	September 26, 2020
Vault initial token? Vault	4	831	October 29, 2022

(cert-manager) vault issuer: 'spec.renewBefore' and 'spec.duration'

Related topics