Ingress not using latest TLS certificate on Key Vault

[ajorkowski]

Hi,

I am using a web application on a private network, and it is all working great except for one issue. I am pointing to a certificate on the keyvault that is getting periodically updated (Let's Encrypt certificate via the Key Vault Acmebot project). The problem is that after this certificate updates on the key vault, the keyvault pods don't seem to pick this up and update the certificates used in the ingress - so suddenly, one day, our traffic stopped working once the old certificates expired, even though there were new certificates already in the key vault.

It seemed like the only way to restore traffic was to delete the ingress which had the 'kubernetes.azure.com/tls-cert-keyvault-uri' annotation and add them again - this seemed to force a refresh. Is there a better way to deal with this?

Finally, is there a better way to handle the certificates than using keyvault certificates? I mean, in an ideal world, I think it would be much easier to have something like cert-manager generate the certificates on aks directly, and then the ingress would use these and do the domain management stuff. Then I could get rid of the key vault and the acmebot too...

Cheers, Felix

[sabbour]

Have you configured the certificate rotation interval on the CSI Secret Store? https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-configuration-options#enable-and-disable-auto-rotation