I found that infisical cert-manager agent issues certificates on startup every time regardless of the validity/presence of previously issued certs.
This was a bit surprising to me, as it's perfectly reasonable to restart the machine or the agent process before a certificate is ready to renew.
Example config to reproduce:
version: v2
infisical:
address: "https://example.infisical.local"
auth:
type: "universal-auth"
config:
client-id: "/path/to/client-id"
client-secret: "/path/to/client-secret"
remove_client_secret_on_read: false
certificates:
- application-name: example
profile-name: tls-server
attributes:
key-algorithm: EC_prime256v1
signature-algorithm: ECDSA-SHA256
common-name: foo.example.com
ttl: 90d
lifecycle:
renew-before-expiry: 14d
status-check-interval: "6h"
file-output:
private-key:
path: "/path/to/server.key"
permission: "0600"
certificate:
path: "/path/to/server.crt"
permission: "0644"
chain:
path: "/path/to/chain.crt"
permission: "0644"
omit-root: true
CLI version: v0.43.100
I found that
infisical cert-manager agentissues certificates on startup every time regardless of the validity/presence of previously issued certs.This was a bit surprising to me, as it's perfectly reasonable to restart the machine or the agent process before a certificate is ready to renew.
Example config to reproduce:
CLI version:
v0.43.100