Some Kommander users have encountered that Fluxcd source controller complains about gitea-0 exposing an expired TLS certificate, as the following entries in the source-controller logs (kommander-flux namespace):
"msg":"Reconciler error","reconciler group":"source.toolkit.fluxcd.io","reconciler
"unable to clone 'https://gitea-http.kommander.svc/kommander/kommander.git':
git-upload-pack\": x509: certificate has expired or is not yet valid: current time
2022-09-26T16:48:40Z is after 2022-09-22T17:09:09Z"}
This issue happens because Kommander 2.1.0, 2.1.1 and 2.2.0 does not handle certificate renewal correctly for kommander applications. The cert-manager component renews all certificates 60 days after you install Kommander on your cluster. When this occurs, some of the kommander applications and pods fail to receive the renewed certificate information, causing them to stop working upon expiration.
A permanent fix for the issue requires upgrading to Kommander 2.2.1 or higher. In the meantime, there is a workaround available that forces the applications to reconcile and recognize the renewed certificate. This workaround also extends the validity of the certificates to 10 years, fixes the certification reload issue, and restarts the affected pods once the new certificate is issued.
The workaround applies to any environment (networked, air-gapped, on-prem, etc.) and fixes the issue regardless of your issuer type (SelfSigned for air-gapped environments, ACME, or your own certificate issuer configured separately for your institution).
To prevent your applications from breaking, or to get the nodes up and running again, and fix this issue permanently, run this command:
IMPORTANT: If you have changed the default location of your kubeconfig file, replace ~/.kube/config with the absolute path of your file's location. For example, use /home/example/my-kubeconfig.yaml instead of my-kubeconfig.yaml.
docker run -v ~/.kube/config:/kubeconfig -e KUBECONFIG=/kubeconfig mesosphere/rotate-certificate-hotfix:2.1.1