Helm chart: can webhook serving certificate expire if keepTLSSecret is enabled?

[terabyte128]

For context, I'm using Cert Manager (with .Values.enableCertManager) to manage the root-cert CA.

From what I can tell, enabling .Values.keepTLSSecret will prevent the serving-cert Certificate resource from being generated by the Helm chart. This makes sense if we want to avoid re-generating the certificate when the chart is updated. But what happens when the existing Secret expires? It seems like once the Secret expires, the certificate would just lapse without any kind of automated renewal from the root CA.

Is this expected behavior?

Reproduction

I installed the chart with the following values:

enableCertManager: true

I verified that the following certificates were created:

$ kubectl get certificate
NAME                             READY   SECRET                        AGE
aws-load-balancer-root-cert      True    aws-load-balancer-root-cert   2m50s
aws-load-balancer-serving-cert   True    aws-load-balancer-tls         113s

and the following secrets as a result:

$ kubectl get secret
NAME                                                 TYPE                 DATA   AGE
aws-load-balancer-root-cert                          kubernetes.io/tls    3      3m36s
aws-load-balancer-tls                                kubernetes.io/tls    3      2m39s

I then ran helm diff with exactly the same values, and saw that it proposed to remove the certificate resource that had been created initially:

kube-system, aws-load-balancer-serving-cert, Certificate (cert-manager.io) has been removed:
- apiVersion: cert-manager.io/v1
- kind: Certificate
- metadata:
-   labels:
-     app.kubernetes.io/instance: aws-load-balancer-controller
-     app.kubernetes.io/managed-by: Helm
-     app.kubernetes.io/name: aws-load-balancer-controller
-     app.kubernetes.io/version: v2.17.0
-     helm.sh/chart: aws-load-balancer-controller-1.17.0
-   name: aws-load-balancer-serving-cert
-   namespace: kube-system
- spec:
-   dnsNames:
-   - aws-load-balancer-webhook-service.kube-system.svc
-   - aws-load-balancer-webhook-service.kube-system.svc.cluster.local
-   duration: 8760h0m0s
-   issuerRef:
-     kind: Issuer
-     name: aws-load-balancer-root-issuer
-   renewBefore: 720h0m0s
-   secretName: aws-load-balancer-tls

I think this makes sense from the perspective of ensuring the Secret is reused, but it seems like a footgun in that the default configuration for keepTLSSecret will allow the certificate to silently lapse.

[zac-nixon]

Hi, sorry for missing this. You are right this is bad behavior and it's also discussed here: #4541

I would recommend re-deploying the chart with keepTLSSecret=false.

[terabyte128]

Thank you! That's ultimately what we ended up doing but good to know that it's a generally OK thing to do.
I'll mark this as the answer and keep an eye on the linked issue.