open-telemetry · schahal · Nov 24, 2025 · Nov 24, 2025 · Nov 26, 2025 · pavolloffay
@@ -0,0 +1,19 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Fix CA certificate renewal race condition by extending CA certificate duration to 1 year
+
+# One or more tracking issues related to the change
+issues: [4441]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  The CA certificate now has a 1-year duration (instead of the default 90 days) to prevent race conditions
+  where client and server certificates could be signed by different CA versions during simultaneous renewal.
+  This ensures the CA remains stable while dependent certificates renew regularly.
@@ -5,6 +5,7 @@ package controllers
 
 import (
 	"testing"
+	"time"
 
 	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cmmetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
@@ -3260,9 +3261,11 @@ prometheus_cr:
 						Subject: &cmv1.X509Subject{
 							OrganizationalUnits: []string{"opentelemetry-operator"},
 						},
-						CommonName: "test-ca-cert",
-						IsCA:       true,
-						SecretName: "test-ca-cert",
+						CommonName:  "test-ca-cert",
+						Duration:    &metav1.Duration{Duration: 8760 * time.Hour},
+						RenewBefore: &metav1.Duration{Duration: 2400 * time.Hour},
+						IsCA:        true,
+						SecretName:  "test-ca-cert",
 						IssuerRef: cmmetav1.ObjectReference{
 							Name: "test-self-signed-issuer",
 							Kind: "Issuer",

@@ -5,6 +5,7 @@ package targetallocator
 
 import (
 	"fmt"
+	"time"
 
 	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
@@ -28,6 +29,15 @@ func CACertificate(params Params) *cmv1.Certificate {
 		Spec: cmv1.CertificateSpec{
 			IsCA:       true,
 			CommonName: naming.CACertificate(params.TargetAllocator.Name),
+			// Set CA certificate to 1 year (much longer than the default 90-day duration of client/server certs)
+			// to prevent renewal race conditions where client and server certificates might be signed by different
+			// CA versions during simultaneous renewal. This ensures the CA remains stable while dependent certificates renew.
+			Duration: &metav1.Duration{Duration: 8760 * time.Hour}, // 1 year
+			// Set renewBefore to 100 days (longer than the 90-day client/server cert duration) to ensure:
+			// 1. CA renewal doesn't coincide with client/server renewal cycles (which occur every ~60 days at the 2/3 point of their 90-day lifetime)
+			// 2. The CA always has sufficient remaining validity (≥100 days) to safely issue client/server certificates with 90-day lifetimes
+			// 3. Client/server certificates can never outlive the CA certificate that signed them
+			RenewBefore: &metav1.Duration{Duration: 2400 * time.Hour}, // 100 days
 			Subject: &cmv1.X509Subject{
 				OrganizationalUnits: []string{"opentelemetry-operator"},
 			},

@@ -5,6 +5,7 @@ package targetallocator
 
 import (
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -83,6 +84,12 @@ func TestCACertificate(t *testing.T) {
 			assert.Equal(t, "Issuer", caCert.Spec.IssuerRef.Kind)
 			assert.Equal(t, []string{"opentelemetry-operator"}, caCert.Spec.Subject.OrganizationalUnits)
 			assert.Equal(t, tt.expectedLabels, caCert.Labels)
+			// Verify CA certificate has 1 year duration to prevent renewal race conditions
+			assert.NotNil(t, caCert.Spec.Duration)
+			assert.Equal(t, 8760*time.Hour, caCert.Spec.Duration.Duration)
+			// Verify CA certificate renewBefore is set to 100 days (longer than client/server cert duration)
+			assert.NotNil(t, caCert.Spec.RenewBefore)
+			assert.Equal(t, 2400*time.Hour, caCert.Spec.RenewBefore.Duration)
 		})
 	}
 }