Self-signed CA cert generated by the Helm chart only good for 90d #401
Description
If you are using cert-manager (tls.certs.certManager: true) and you are using a self-signed issuer for the CA cert (tls.certs.certManagerIssuer.isSelfSignedIssuer: true) then this portion of the Helm chart generates a cert-manager Certificate object for you.
The .spec section here does not include a duration, so the default duration is 90d (!) — this will inevitably lead to expired certificates. (It did for me, which is why I'm filing this.)
Worse, there's no Helm value to be able to override it, here. For an internal CA, I'd ideally like to specify something like 10 years. Basically infinite; unless I have a need to rotate the CA (e.g., suspected compromise), this seems acceptable¹.
(I think for now, I'm going to see if I can just disable the cert generation via the chart & do it manually, though that's of course a bummer to need to do. The chart is so close!)
(¹Otherwise, we then run into more bugs: cert-manager does not appear to correctly renew leaf certs. E.g., the CA cert will expire, and c-m will renew it, but the leaf cert continues to use the old CA, and so it's all still broken, at least, I presume, until the leaf renews again. Cf. cert-manager/cert-manager#5864. Even if c-m functioned here, CRDB would still need some way to a graceful rollover to the new CA, which AFAIK, it presently lacks. I think this is okay … I think short-lived CAs is a minority use case.)
Jira issue: HELM-11