From b3e757c4e2ccadc0a985dd8f591b8bdfba2621dd Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Tue, 17 Feb 2026 16:19:59 -0800 Subject: [PATCH 1/2] fix(certificate rotation-before): ECK certs are now rotated 30d before expiry Just like all other certificates, make it so that ECK certs rotate 30d before expiry. --- pkg/render/logstorage/eck/eck.go | 6 +++--- pkg/render/logstorage/eck/eck_test.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/render/logstorage/eck/eck.go b/pkg/render/logstorage/eck/eck.go index 3c7c8aa085..e69262ec1c 100644 --- a/pkg/render/logstorage/eck/eck.go +++ b/pkg/render/logstorage/eck/eck.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -363,9 +363,9 @@ func (e *eck) operatorStatefulSet() *appsv1.StatefulSet { "--container-registry=" + e.cfg.Installation.Registry, "--max-concurrent-reconciles=3", "--ca-cert-validity=8760h", - "--ca-cert-rotate-before=24h", + "--ca-cert-rotate-before=30d", + "--cert-rotate-before=30d", "--cert-validity=8760h", - "--cert-rotate-before=24h", "--enable-webhook=false", "--manage-webhook-certs=false", }, diff --git a/pkg/render/logstorage/eck/eck_test.go b/pkg/render/logstorage/eck/eck_test.go index 05148adad4..b14db20fa2 100644 --- a/pkg/render/logstorage/eck/eck_test.go +++ b/pkg/render/logstorage/eck/eck_test.go @@ -108,9 +108,9 @@ var _ = Describe("ECK rendering tests", func() { "--container-registry=testregistry.com/", "--max-concurrent-reconciles=3", "--ca-cert-validity=8760h", - "--ca-cert-rotate-before=24h", + "--ca-cert-rotate-before=30d", + "--cert-rotate-before=30d", "--cert-validity=8760h", - "--cert-rotate-before=24h", "--enable-webhook=false", "--manage-webhook-certs=false", })) From 5fccfdaf1d0a0601d90d2012ff700b6c224305be Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Tue, 24 Feb 2026 13:39:24 -0800 Subject: [PATCH 2/2] fix(certificate rotation-before): ECK certs are now rotated 30d before expiry ECK certificates are now rotated 30d before expiry just like all certificates that are managed by this operator. --- pkg/render/logstorage/eck/eck.go | 4 ++-- pkg/render/logstorage/eck/eck_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/render/logstorage/eck/eck.go b/pkg/render/logstorage/eck/eck.go index e69262ec1c..f9d65d62b6 100644 --- a/pkg/render/logstorage/eck/eck.go +++ b/pkg/render/logstorage/eck/eck.go @@ -363,8 +363,8 @@ func (e *eck) operatorStatefulSet() *appsv1.StatefulSet { "--container-registry=" + e.cfg.Installation.Registry, "--max-concurrent-reconciles=3", "--ca-cert-validity=8760h", - "--ca-cert-rotate-before=30d", - "--cert-rotate-before=30d", + "--ca-cert-rotate-before=720h", + "--cert-rotate-before=720h", "--cert-validity=8760h", "--enable-webhook=false", "--manage-webhook-certs=false", diff --git a/pkg/render/logstorage/eck/eck_test.go b/pkg/render/logstorage/eck/eck_test.go index b14db20fa2..0ea1d5a33d 100644 --- a/pkg/render/logstorage/eck/eck_test.go +++ b/pkg/render/logstorage/eck/eck_test.go @@ -108,8 +108,8 @@ var _ = Describe("ECK rendering tests", func() { "--container-registry=testregistry.com/", "--max-concurrent-reconciles=3", "--ca-cert-validity=8760h", - "--ca-cert-rotate-before=30d", - "--cert-rotate-before=30d", + "--ca-cert-rotate-before=720h", + "--cert-rotate-before=720h", "--cert-validity=8760h", "--enable-webhook=false", "--manage-webhook-certs=false",