|
This is unreleased documentation for Admission Controller 1.36-dev. |
Policy Server certificate rotation issue for release ≤ v1.16.0
|
Workaround for Kubewarden Admission Controller v1.16.0 and earlier
This workaround is only needed for Admission Controller v1.16.0 and earlier. Starting from v1.17.0, the controller automatically renews the policy server certificates. |
During the release process for v1.14, the Admission Controller discovered a bug related to the policy server certificate rotation. The Root CA configuration is for 10-year expiry, but each policy-server certificate secret has a one-year expiry. However, the controller is currently unable to renew them automatically.
In the v1.14 release, the Admission Controller ensured that policy-server secrets are created with a 10-year expiry.
An automated renewal process is in place for release ≥ v1.16.0.
Until then, users can manually delete the expired certificate secret (policy-server-default) and trigger a controller reconciliation. You do this by adding, removing, or updating a policy or by adjusting the number of replicas of a PolicyServer.