Certificate secrets are not recreated when critical fields change #6815
Labels
kind/bug
Categorizes issue or PR as related to a bug.
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Describe the bug:
secretTemplate
, changes to thesecretTemplate
are not reflected until the certificate is renewed.Expected behaviour:
secretTemplate
should trigger an update of the secret. given that thesecretTemplate
can only contain annotations and labels, it should be possible to just update the annotations and labels on the secret without renewing the issued certificates in the secretSteps to reproduce the bug:
Create a
Certificate
resource.Once the certificate secret has been provisioned, edit the Certificate to include a
secretTemplate
in the specObserve that the secret is not updated to include the annotations/labels in the
secretTemplate
Add a keystore configuration to the certificate (will probably require creation of a separate secret to hold the keystore password)
Observe that the secret is not updated to include the keystore
Renew the certificate, observe that the keystore and annotations/labels are now present in the secret
Change the secret containing the keystore password to use a different password
Observe that the secret is not updated with a keystore using the new password
For a JKS keystore, observer that the truststore.jks is now rendered invalid as
keytool
cannot read itRenew the certificate, observe that the keystore is now correctly encrypted.
Anything else we need to know?:
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: