fix: chart: update cert-manager cert. duration (external-secrets#2986)

Update cert-manager certificate duration to 1 year in the Helm chart.

This commit resolves a timing issue in the external-secrets Helm chart,
where the default certificate duration was previously not explicitly
set. This lack of specification led to conflicts with the cert-manager's
lookahead interval. By setting the `webhook.certManager.cert.duration`
to "8760h" (one year), we ensure that cert-manager will renew the
certificate before the external-secrets webhook starts to report issues,
and restarts, due to the certificate nearing expiration (as per the
lookahead interval).

This solution has been discussed in
external-secrets#2519.

Signed-off-by: Thibault Gérondal <[email protected]>

Author: Tycale

deploy/charts/external-secrets/README.md

@@ -153,7 +153,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
 | webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
 | webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
-| webhook.certManager.cert.duration | string | `""` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec |
+| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
 | webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
 | webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
 | webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |

deploy/charts/external-secrets/values.yaml

@@ -271,7 +271,8 @@ webhook:
         name: "my-issuer"
       # -- Set the requested duration (i.e. lifetime) of the Certificate. See
       # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
-      duration: ""
+      # One year by default.
+      duration: "8760h"
       # -- How long before the currently issued certificate’s expiry
       # cert-manager should renew the certificate. See
       # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec