Webhook pods returns tls bad certificate with certification manager

[Christian-8]

Hi, I installed last version (v0.13.0) of windows-gmsa in our EKS cluster and configured it in order to use certification manager with automatic certification renew.

I saw the enhancement of v0.9.0 about the certification renew management (with argument '--cert-reload=true') and I tested it.

My test case is very simple, I configured a resource Certificate with duration: 1h and renewBefore: 55m and after 1h, pods defined in the deployment returns tls bad certificate.

I enabled logs and studied the code a bit and ,as you can see, the certificate (stored in a secret) is loaded one time. After that no update is catched

I enriched logs in order to understand the problem and as you can see, the first time the fsnotify watcher receives two events (CHMOD and REMOVE) and this is the reason of the bug.

According to this: https://martensson.io/go-fsnotify-and-kubernetes-configmaps/ (but you can find much other information) the problem is how K8S mounts configmaps and secrets, it manages volumes as symbolic link and for any update in configmap/secret, it removes old symbolic link and recreates a new one and fsnotify library fails to manage this behaviour (the library sends two events but the watcher, previously configured for a specific file, is lost)

Because I'm not a "Go expert" (it is my first time with golang), I don't know if it exists some specific fsnotify configuration or if the solution defined in previous link is the "good" solution

Do you think I am right with my analysis or I am missing something in the configuration?

Thanks