pierDipi/cert-manager-spec-update-issue.md

## cert-manager-spec-update-issue.md

      
    Raw
  

              cert-manager-spec-update-issue.md
            
          
Install cert-manager


Apply the cert-manager-spec-update-issue.yaml file (it's down below)


Get the certificate


$ k get certificates -n cert-manager-issue server-tls -oyaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"server-tls","namespace":"cert-manager-issue"},"spec":{"dnsNames":["broker-filter.knative-eventing.svc.cluster.local","broker-filter.knative-eventing.svc"],"duration":"2160h","isCA":false,"issuerRef":{"group":"cert-manager.io","kind":"Issuer","name":"selfsigned-ca-issuer"},"privateKey":{"algorithm":"RSA","encoding":"PKCS1","rotationPolicy":"Always","size":2048},"renewBefore":"360h","secretName":"server-tls","secretTemplate":{"labels":{"app.kubernetes.io/component":"server-tls"}},"subject":{"organizations":["local"]}}}
  creationTimestamp: "2023-10-11T11:27:28Z"
  generation: 1
  name: server-tls
  namespace: cert-manager-issue
  resourceVersion: "153649"
  uid: 2a5f4dca-b32a-4653-b636-c2ac4d0a5626
spec:
  dnsNames:
  - broker-filter.knative-eventing.svc.cluster.local
  - broker-filter.knative-eventing.svc
  duration: 2160h0m0s
  issuerRef:
    group: cert-manager.io
    kind: Issuer
    name: selfsigned-ca-issuer
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    rotationPolicy: Always
    size: 2048
  renewBefore: 360h0m0s
  secretName: server-tls
  secretTemplate:
    labels:
      app.kubernetes.io/component: server-tls
  subject:
    organizations:
    - local
status:
  conditions:
  - lastTransitionTime: "2023-10-11T11:27:34Z"
    message: Certificate is up to date and has not expired
    observedGeneration: 1
    reason: Ready
    status: "True"
    type: Ready
  notAfter: "2024-01-09T11:27:34Z"
  notBefore: "2023-10-11T11:27:34Z"
  renewalTime: "2023-12-25T11:27:34Z"
  revision: 1

As you can see renewBefore and duration have different values (equivalent but different since those are technically just YAML strings), the other change is that the field isCA is not there anymore

  
## cert-manager-spec-update-issue.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-issue
---

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: server-tls
  namespace: cert-manager-issue
spec:
  # Secret names are always required.
  secretName: server-tls

  secretTemplate:
    labels:
      app.kubernetes.io/component: server-tls

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - local
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
    rotationPolicy: Always

  dnsNames:
    - broker-filter.knative-eventing.svc.cluster.local
    - broker-filter.knative-eventing.svc

  issuerRef:
    name: selfsigned-ca-issuer
    kind: Issuer
    group: cert-manager.io
---
# Copyright 2023 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This is the issuer that every Eventing component should use to issue their server's certs.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-ca-issuer
  namespace: cert-manager-issue
spec:
  ca:
    secretName: eventing-ca
---
# Copyright 2023 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This is the root issuer to bootstrap the eventing CA.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: cert-manager-issue
spec:
  selfSigned: {}
---
# This is the Eventing CA certificate.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: selfsigned-ca
  namespace: cert-manager-issue
spec:
  secretName: eventing-ca

  isCA: true
  commonName: selfsigned-ca
  privateKey:
    algorithm: ECDSA
    size: 256

  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
	apiVersion: v1
	kind: Namespace
	metadata:
	name: cert-manager-issue
	---

	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: server-tls
	namespace: cert-manager-issue
	spec:
	# Secret names are always required.
	secretName: server-tls

	secretTemplate:
	labels:
	app.kubernetes.io/component: server-tls

	duration: 2160h # 90d
	renewBefore: 360h # 15d
	subject:
	organizations:
	- local
	isCA: false
	privateKey:
	algorithm: RSA
	encoding: PKCS1
	size: 2048
	rotationPolicy: Always

	dnsNames:
	- broker-filter.knative-eventing.svc.cluster.local
	- broker-filter.knative-eventing.svc

	issuerRef:
	name: selfsigned-ca-issuer
	kind: Issuer
	group: cert-manager.io
	---
	# Copyright 2023 The Knative Authors
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# This is the issuer that every Eventing component should use to issue their server's certs.
	apiVersion: cert-manager.io/v1
	kind: Issuer
	metadata:
	name: selfsigned-ca-issuer
	namespace: cert-manager-issue
	spec:
	ca:
	secretName: eventing-ca
	---
	# Copyright 2023 The Knative Authors
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.

	# This is the root issuer to bootstrap the eventing CA.
	apiVersion: cert-manager.io/v1
	kind: Issuer
	metadata:
	name: selfsigned-issuer
	namespace: cert-manager-issue
	spec:
	selfSigned: {}
	---
	# This is the Eventing CA certificate.
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: selfsigned-ca
	namespace: cert-manager-issue
	spec:
	secretName: eventing-ca

	isCA: true
	commonName: selfsigned-ca
	privateKey:
	algorithm: ECDSA
	size: 256

	issuerRef:
	name: selfsigned-issuer
	kind: Issuer
	group: cert-manager.io