If you are using cert-manager (tls.certs.certManager: true) and you are using a self-signed issuer for the CA cert (tls.certs.certManagerIssuer.isSelfSignedIssuer: true) then this portion of the Helm chart generates a cert-managerCertificate object for you.
The .spec section here does not include a duration, so the default duration is 90d (!) — this will inevitably lead to expired certificates. (It did for me, which is why I'm filing this.)
Worse, there's no Helm value to be able to override it, here. For an internal CA, I'd ideally like to specify something like 10 years. Basically infinite; unless I have a need to rotate the CA (e.g., suspected compromise), this seems acceptable¹.
(I think for now, I'm going to see if I can just disable the cert generation via the chart & do it manually, though that's of course a bummer to need to do. The chart is so close!)
(¹Otherwise, we then run into more bugs: cert-manager does not appear to correctly renew leaf certs. E.g., the CA cert will expire, and c-m will renew it, but the leaf cert continues to use the old CA, and so it's all still broken, at least, I presume, until the leaf renews again. Cf. https://github.com/cert-manager/cert-manager/issues/5864. Even if c-m functioned here, CRDB would still need some way to a graceful rollover to the new CA, which AFAIK, it presently lacks. I think this is okay … I think short-lived CAs is a minority use case.)
If you are using
cert-manager(tls.certs.certManager: true) and you are using a self-signed issuer for the CA cert (tls.certs.certManagerIssuer.isSelfSignedIssuer: true) then this portion of the Helm chart generates acert-managerCertificateobject for you.The
.specsection here does not include aduration, so the default duration is 90d (!) — this will inevitably lead to expired certificates. (It did for me, which is why I'm filing this.)Worse, there's no Helm value to be able to override it, here. For an internal CA, I'd ideally like to specify something like 10 years. Basically infinite; unless I have a need to rotate the CA (e.g., suspected compromise), this seems acceptable¹.
(I think for now, I'm going to see if I can just disable the cert generation via the chart & do it manually, though that's of course a bummer to need to do. The chart is so close!)
(¹Otherwise, we then run into more bugs:
cert-managerdoes not appear to correctly renew leaf certs. E.g., the CA cert will expire, and c-m will renew it, but the leaf cert continues to use the old CA, and so it's all still broken, at least, I presume, until the leaf renews again. Cf. https://github.com/cert-manager/cert-manager/issues/5864. Even if c-m functioned here, CRDB would still need some way to a graceful rollover to the new CA, which AFAIK, it presently lacks. I think this is okay … I think short-lived CAs is a minority use case.)