Skip to main content
Version: Next 🚧

Certificate rotation

Kubewarden v1.17.0 removed the cert-manager dependency. The controller is able to manage all the certificates used by all the components. Now, the controller has a new reconciliation loop that ensures the certificates are always up-to-date and the webhook configuration is correct.

The Helm chart installation does the first certificate generation. It generates the root CA with ten years until expiration. The Helm chart installation also generates the controller webhook web server certificate, signed by the root CA. The API server use this to communicate with the Kubewarden controller to validate the CRDs. It has a one year expiration.

Once the controller starts, its reconciler renews the certificates automatically when they're about to expire. It also updates the certificates and webhook configurations used by the entire Kubewarden stack.

note

All the certificates generated by the Helm chart and later by the controller uses ECDSA P256 keys.

The reconciliation loop renews certificates 60 days before expiration. Certificates rotate without downtime. The reconciliation loop takes care of renewing the root CA too.

The controller generates a new root CA 60 days before expiration. The controller updates the CA bundle used by all the webhooks to include both the new root CA and the old one.

The change of the root CA leads the reconciler to re-create the certificates issued to the webhooks. The propagation of the new certificates requires a period of time. However, during this time the updated CA bundle lets the API server continue to communicate with all the webhooks without any downtime.

When a new certificate is ready, and the old one is invalid, the controller updates the CA bundle, used by webhooks, to include only the latest root CA.

When a policy server, or controller web server certificate renews, the controller updates the secret with the new certificate signed by the root CA. Due to this reload feature, the controller, and the policy server, use the new certificate with no need to restart processes, hence no downtime.