Hi,
Thank you for your message. As I understand it, your webhook pod loads a Secret resource that contains the private key and certificate that were created by cert-manager. On the other side, cert-manager’s cainjector puts the contents of the ca.crt in that Secret resource to fill the caBundle in the MutatingWebhookConfiguration object.
The function http.ListenAndServeTLS loads the private key and certificate from disk (where the Secret above is mounted) when the pod starts. When cert-manager rotates the certificate and private key, the tls.crt and tls.key files on disk are changed, but http.ListenAndServeTLS doesn’t know about that change.
You have two solutions to solve this limitation: (1) have something that will restart the webhook process when the secret changes (there is a controller for that, I don’t remember the name).
(2) or you can do the same as what controller-runtime does in [1], which is to use fsnotify to watch for changes in disk and gracefully reload the ListenAndServe function when that happens.
[1]:
Have a good day,
Maël