Question: Does PXC Operator renew TLS certificate that automatically generated by the operator itself?

Hi, thank you for providing a very powerful database operator in k8s.

I am quite new to PXC and the operator. Please kindly give me some light.

Our PXC cluster was deployed to k8s via Percona Operator (percona-xtradb-cluster-operator:1.14.0). Everything is great.
However, I am not clear about the behavior of the TLS certificate that was automatically generated by the operator itself.

  1. We do not have a cert-manager in our k8s. We also did not create our own custom tls certificate. So the operator created a 1-year-expiration CA & TLS certificate. In this case, will the operator renew the CA & TLS certificate by itself (without downtime I assume)?
  2. If I were to later on add the cert-manager to our k8s, will the operator use cert-manager to renew the existing operator-self-generated CA&TLS certificate with cert-manager when it is about to expire?

Please kindly give me some light on how to proceed.

Hi Chhatra,
You should check this document about updating certs ,

Hi @Yunus
Thank you for kindly checking with my questions.

I have read the document a lot of time now.
It did only mentioned the need to update the TLS certificate if “there is no cert-manager” and “we created custom certificates by ourselves”.
There is no mentioned of the need to update the TLS certificate if it was automatically created by the operator itself.
So, I really can’t tell if I need to do the update.

The other thing is the document did not mention what happens if later on we install the cert-manager to the cluster after pxc was created. Will the next certificate renewal by operator done using cert-manager instead?

I could also read source code and etc. Please kindly point me to the right direct to confirm this.

The Operator will not automatically renew the certificate. It is also not recommended to use Operator-generated certificate in production.

What cert-manager does it taking care of certificate renewals and put it into the Secret. What Operator does is reading the Secret and applying it. So once cert-manager updates the Secret resource, Operator will make sure the cert is updated for your cluster.

Hope this helps.

Hi @Sergey_Pronin
Thank you for your helps.
I think the information is clearer now.
I will try to test it out and share it here again.

Thank you.