Certificate resource not updated after ingress annotation is changed

[jlunaq]

Hello, I have cert-manager 1.8.2 installed on a AKS 1.27 cluster. I'm using an external issuer to automate the certificates lifecycle.
We add the issuer annotations (name, group, kind) to the ingresses to generate their certificate. However when we change the issuer-group this change is not propagated to the associated certificate resource. I'm wondering if this is a known bug present in this version of cert-manager to consider upgrading.

(edit)
One more question. When I deleted the certificate I was expecting that it was recreated by cert-manager, but that didn't happen, is this an expected behavior?

Let me know if you need any additional details. Thanks

[hawksight]

Hello @jlunaq, awesome to see you using cert-manager.

However when we change the issuer-group this change is not propagated to the associated certificate resource.

It is difficult with annotations. So you edit the Ingress annotations, but the Certificate is not reissued?
I believe re-issuance is only done if you change the certificate spec itself, not the Issuer being used.
So if the cert is valid, changing the issuer would have no effect. But I don't have a reference for this... it's just a hunch.

Could you also try adding. a new annotation that would change the cert, so for example: cert-manager.io/private-key-size: 4096 (assuming you are using RSA keys).

When I deleted the certificate I was expecting that it was recreated by cert-manager, but that didn't happen, is this an expected behaviour?

Cert-manager won't restore a Certificate resource. But do you mean a Certificate that was generated from the annotations on your Ingress resource?

cert-manager 1.8.2

This is old, please try cert-manager v1.14.5 instead. Your k8s version is supported on the latest and greatest. See supported versions.

You might find the newer version behaviours differently.