How to configurre ClusterIssuer to customize certificate duration and renewal?
Question
I want to customize the certificate validity duration and renewal throughout the cluster. Iguess doing that with ClusterIssuer is feasible. Is there a way to do so ?
2 answers
solution1
1 2021-07-09 10:46:02
You can specify the duration of a self signed certificate by specifying the duration field in the Certificate CR:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example
spec:
duration: 24h
...
You can control how long before the certificate expires it gets renewed using the renewBefore field:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example
spec:
renewBefore: 12h
...
Details in the documentation .
solution2
1 2021-07-09 12:54:48
For that same you can configure it using the below two field
duration: 2160h # 90d
renewBefore: 360h # 15d
Things to take care :
The renewBefore and duration fields must be specified using Golang's time.Time string format, which does not allow the d ( days ).
Example certificate
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
commonName: example.com
dnsNames:
- example.com
- www.example.com
uriSANs:
- spiffe://cluster.local/ns/sandbox/sa/example
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: Issuer
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.