Unexpected certificate renewal after upgrading to 1.19.0

[FrancoisPoinsot]

I deploy cert-manager with its CRDs using the helm chart.
When upgrading to 1.19.0, cert-manager rotated all existing Certificates.

What happened

10:22:43 :

Fields on existing CertificateRequest resource not up to date: [spec.issuerRef]  from cert-manager

10:23:34: from the k8s API server:

 cognite-internal-ca-4 certificateRequest is created

This seems related to that change on the CRDs:
https://github.com/cert-manager/cert-manager/pull/7414/files?w=1#diff-001624fd2992dca5a14f93c39266ee79360a1231af2df533137c070a4490e869R130

The surprising part is that this change in the existing CertificateRequest triggered it. Even though the Certificate itself was correctly issued long ago

Environments

Multiple k8s clusters on GKE, AKS and EKS. Around v1.33.

[erikgb]

This is probably caused by the materialized defaults applied to the issuer reference group and kind. How does your certificates look like? Did all certificates get renewed, or only some of them? We are considering reverting all/some of this for a patch release. See #8157

CC @inteon

[FrancoisPoinsot]

This is probably caused by the materialized defaults applied to the issuer reference group and kind. How does your certificates look like? Did all get renewed? We are considering reverting all/some of this for a patch release. See #8157

CC @inteon

yeah I am very sorry, I clicked "create" on the github issue too early. Still editing the body to add more details.
But yeah this seems related to that

[FrancoisPoinsot]

Did all certificates get renewed, or only some of them?

out of 94 certificates, only 2 were not renewed. I will try to find what is special about them.

[erikgb]

Were your 94 certificates that got renewed missing the issuer reference group/kind?

[FrancoisPoinsot]

Were your 94 certificates that got renewed missing the issuer reference group/kind?

.spec.issuerRef.group is missing in the certificate resource for all cert that got renewed.

[FrancoisPoinsot]

I can't check the opposite scenario with the data I have. I don't have the old manifest / resource for the 2 certificates that were not renewed.

[FrancoisPoinsot]

@erikgb .spec.issuerRef.kind is always present in the certificates I have defined.
I don't think the revert you linked above will address the issue I faced. It might be very similar, but I think what triggered the certificates renewal in my case was the change from null to "cert-manager.io" in .spec.issuerRef.group

edit: ha I see that part which might actually help: https://github.com/cert-manager/cert-manager/pull/8157/files#diff-b5354eb13c358d09d5f9d1d7efa103aab46c3e08cd7f2d06f4f9d48886cba978R28

[FrancoisPoinsot]

@erikgb may I suggest you invalidate the v1.19.0 release?

On top of this renewal of all certificates, I suspect that cert-manager does not rotate certificates issued from an Issuer which CA is itself managed by cert-manager.
Leading to a nasty race condition. At the end some leaf certificates are invalid.

[erikgb]

@erikgb .spec.issuerRef.kind is always present in the certificates I have defined. I don't think the revert you linked above will address the issue I faced. It might be very similar, but I think what triggered the certificates renewal in my case was the change from null to "cert-manager.io" in .spec.issuerRef.group

The plan this morning was to retain the materialized default of the issuer reference group, as it fixes an issue for users of approver-policy. It's unfortunate to get all these renewals, just because the default was materialized in the resource. Maybe we could fix that? 🤔

[inteon]

I think this must have something to do with this code:

cert-manager/internal/controller/certificates/policies/checks.go

Line 161 in 83f8d4f

func SecretIssuerAnnotationsMismatch(input Input) (string, string, bool) {

[FrancoisPoinsot]

@erikgb .spec.issuerRef.kind is always present in the certificates I have defined. I don't think the revert you linked above will address the issue I faced. It might be very similar, but I think what triggered the certificates renewal in my case was the change from null to "cert-manager.io" in .spec.issuerRef.group

The plan this morning was to retain the materialized default of the issuer reference group, as it fixes an issue for users of approver-policy. It's unfortunate to get all these renewals, just because the default was materialized in the resource. Maybe we could fix that? 🤔

Don't trust too much my words there. I don't know nearly enough about cert-manager's code.
But the test scenario should be straight forward:

• use cert-manager 1.18.x
• Create a certificate. leave .spec.issuerRef.group field empty
• upgrade to cert-manager 1.19.x

Check if a new CertificateRequest is created.

[inteon]

I found the issue: https://github.com/cert-manager/cert-manager/blob/master/pkg/util/pki/match.go#L227C1-L228C1

Instead of deep equal, we need logic there to default the kind and group fields.