Duration and renew-before annotation changes in ingress resources don't trigger certificate updates #8213
Description
Describe the bug:
I've got an ingress set up (following the instructions at https://cert-manager.io/docs/usage/ingress/). A simple version for this bug report is:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: nameOfClusterIssuer
cert-manager.io/duration: 24h
cert-manager.io/renew-before: 1h
cert-manager.io/private-key-size: "4096"
name: myIngress
namespace: myIngress
spec:
rules:
- host: example.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: myservice
port:
number: 80
tls:
- hosts:
- example.com
secretName: myingress-cert
Cert manager quickly creates a certificate for this ingress - great!
If I edit the annotations on the ingress cert-manager also quickly updates the certificate - great!
However, if I change only the duration or the renew-before annotation nothing happens - the certificate isn't updated. If I change another annotation (in this case the private-key-size one) then the certificate is updated (and this update also includes any changes to the duration/renew-before values).
Expected behaviour:
I expected the certificate to be updated on changes to any of the annotations.
Steps to reproduce the bug:
Use the ingress defined above:
- Change just the duration or renew-before: No update
- Change just the private-key-size (or a different annotation): Update of the private-key-size (or different annotation)
- Change the private-key-size (or a different annotation) and the duration/renew-before: Update of everything
Anything else we need to know?:
I think this is happening because the function that compares if a cert needs updating doesn't check the duration or renew-before values.
Is this intentional? Would you accept a PR changing this?
Environment details:
- Kubernetes version: k3s v1.33 (on local ubuntu dev box)
- cert-manager version: v1.19.1
- Install method: Helm manifests
/kind bug