From f490bd78748d3ee878e65b812cce897c280be514 Mon Sep 17 00:00:00 2001 From: Marc Vornetran Date: Fri, 21 Mar 2025 11:10:03 +0100 Subject: [PATCH 1/3] docs: Document triggering a manual certificate renewal --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index d577e2c41..bfee59577 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ Currently, the `cert-controller-manager` supports certificate authorities via: - [Using the cert-controller-manager](#using-the-cert-controller-manager) - [Usage](#usage) - [Renewal of Certificates](#renewal-of-certificates) + - [Triggering a manual Certificate renewal](#triggering-a-manual-certificate-renewal) - [Revoking Certificates](#revoking-certificates) - [Revoking certificates with renewal](#revoking-certificates-with-renewal) - [Checking OCSP revocation using OpenSSL](#checking-ocsp-revocation-using-openssl) @@ -1042,6 +1043,22 @@ is always valid for 90 days and will be rolled 30 days before it expires by upda in the `Certificate` object. The configuration can be changed with the command line parameter `--issuer.renewal-window`. +### Triggering a manual Certificate renewal + +You can trigger a manual renewal of a `Certificate` by setting `.spec.renew` to `true`. +The controller will then renew the certificate with the next reconciliation and remove the field. + +```yaml +apiVersion: cert.gardener.cloud/v1alpha1 +kind: Certificate +metadata: + name: renew-sample + namespace: default +spec: + commonName: cert1.mydomain.com + renew: true # trigger a renewal with the next reconciliation, the field will be removed +``` + ## Revoking Certificates Certificates created with an `ACME` issuer can also be revoked if private key of the certificate From 9c373dd1e61dd990a31d8fad667cf3d885722e1f Mon Sep 17 00:00:00 2001 From: Marc Vornetran Date: Fri, 21 Mar 2025 14:08:30 +0100 Subject: [PATCH 2/3] docs: Add `ensureRenewedAfter` to sample Co-authored-by: Martin Weindel --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index bfee59577..0d274e397 100644 --- a/README.md +++ b/README.md @@ -1057,6 +1057,7 @@ metadata: spec: commonName: cert1.mydomain.com renew: true # trigger a renewal with the next reconciliation, the field will be removed + ensureRenewedAfter: null # mandatory if a manual renewal was already triggered ``` ## Revoking Certificates From 61158c544e1b2e2323636e4857bb50eb39395b35 Mon Sep 17 00:00:00 2001 From: Marc Vornetran Date: Fri, 21 Mar 2025 14:10:16 +0100 Subject: [PATCH 3/3] docs: Mention `ensureRenewedAfter` for manual renewals --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 0d274e397..f0c9a75e9 100644 --- a/README.md +++ b/README.md @@ -1060,6 +1060,8 @@ spec: ensureRenewedAfter: null # mandatory if a manual renewal was already triggered ``` +If the field `.spec.ensureRenewedAfter` is set and you want to trigger the renewal again, make sure to remove it (e.g. by setting the value explicitly to `null`). + ## Revoking Certificates Certificates created with an `ACME` issuer can also be revoked if private key of the certificate