Skip to content

For web hooks use a self signed cert instead of CA cert and leaf cert combo #5253

New issue
New issue
Open
Open
For web hooks use a self signed cert instead of CA cert and leaf cert combo#5253
Labels
kind/featureCategorizes issue or PR as related to a new feature.
@kpanic9

Description

@kpanic9
kpanic9
opened on Dec 4, 2025

What do you want to happen?

When using cert-manager for webhook certificate generation, kubebuilder generates a CA cert and a leaf cert from that CA certificate. Both the cert and the CA cert has same validity period (3 months) and happens around the same time.

When cert-manager renews leaf cert before the CA cert, API server can not talk to the webhook because the caBundle of the webhook is configured from the CA cert.

I have tried using the leaf cert for webhook's caBundle configuration, but it causes issues when CA cert expires as cert-manager allows leaf certs to have an expiry date beyond CA certs expiry date (cert-manager/cert-manager#5864).

So only solution I have found is to use a self signed cert and using it to configure the caBundle of the webhook.

Is it possible to change the default manifests to that?

Extra Labels

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions