wkloucek
commented
20 hours ago This chart will not change around the builtin IDM and IDP. Those two services are only there for testing purposes since they will never be production ready in the Kubernetes context.
From what I know, there is no sane way to do the certificate rotation with Helm.
I'd propose to look into CertManager and provide the CA and cert by it. You need to configure secretRefs.ldapCaRef and secretRefs.ldapCertRef for it.
On the stable-5 branch you can find a starting point on how to manage a CA and certs with cert-manager:
I initially deployed my test instance 365 days ago and was actively using it till yesterday.
Today all authentication attempts are failing and idm is logging the following message roughly three times per second at the moment:
Due to the timing I suspect that the idm TLS certificate just expired.
I understand that using an external LDAP is strongly recommended, still it might be nice to support the necessary certificate rotation from the chart.
I guess the necessary steps would be to check the age of the cert in
charts/ocis/templates/idm/secret.yamland update the cert secret if it expired, then restart the idm pods. Though that would probably also require retaining the CA key.As an alternative I guess it would also be possible to roll over CA and cert and then restart all affected pods, though that would be more disruptive.
Workaround: