Why is Kubernetes ClusterIssuer reusing/reissuing revoked certificate?

anders · December 5, 2024, 12:27pm

I have set up Vault inside kubernetes, and a ClusterIssuer that works as expected.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: vault-cluster-issuer
  namespace: cert-manager
spec:
  vault:
    path: pki/sign/my-issuer
    server: http://vault.vault.svc.cluster.local:8200
    auth:
      kubernetes:
        role: cert-manager
        mountPath: /v1/auth/kubernetes
        secretRef:
          name: issuer-token
          key: token

How to reproduce:

Create ingress for test.example.com with cluster-issuer: vault-cluster-issuer. Server certificate is created as expected.
Go into vault ui and revoke server certificate.
Delete certificate in k8s.
Cluster Issuer recreates server certificate in k8s, even though it has been revoked. Message is “Certificate is up to date and has not expired” which is… technically true.

If I add the CRL to the ClusterIssuers secret (as ca.crl), it recognizes the server certificate as revoked and issues a new one using Vault.

Question: why is the revoked certificate reused in step 4 above? Isn’t ClusterIssuer contacting Vault? Is vault sending the certificate even though it has been revoked? Does k8s have some cache which makes it not contact Vault and just reuse/recreate the one it had? (I have deleted the certificate from k8s).

Topic		Replies	Views
Kubernetes auth generates many lease revocations Vault k8s , vault	1	27	December 11, 2024
Vault PKI supported platforms for issuing , renewing and revoking the Certificates Vault	6	487	August 10, 2022
Reboot / new pod of vault necesarry for new certificate to be used Vault k8s	0	386	September 26, 2020
Vault In Kubernetes - Setting up TLS Vault k8s	1	584	November 1, 2021
HCSEC-2021-09 - Vault’s PKI Engine CRL May Exclude Revoked But Unexpired Certificates After Tidy Security security-vault	0	8491	April 21, 2021

Why is Kubernetes ClusterIssuer reusing/reissuing revoked certificate?

Related topics