The certificate file of cert-manager is mounted on the nginx volume and is being used.
e.g
nginx deploy.yaml -
volumes:
- name: secret-volume
secret:
secretName: my.test.app.com
- name: configmap-volume
configMap:
name: nginxconfigmap
containers:
- name: nginxhttps
image: bprashanth/nginxhttps:1.0
ports:
- containerPort: 443
- containerPort: 80
volumeMounts:
- mountPath: /etc/nginx/ssl
name: secret-volume
- mountPath: /etc/nginx/conf.d
name: configmap-volume
and my nginx.conf file in
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
And it's working very well. In addition, the certificate is smoothly reissued by cert-manager.
However, because the reissued certificate file is not updated in the nginx container, it is said that the certificate has expired when accessed from a browser.
There is no problem if I force restart the pod, but I want to automate it.
I wonder if there is a way to automatically renew the certificate without restarting the pod forcibly.
Not sure that the certificate is for your specific application using Nginx or main Nginx ingress which is handing the whole traffic of your cluster.
if it is the main Nginx which is handling the whole traffic of your cluster you can create the ingress and add the cert-manager integration there.
Cert-manager will manage the certificate and save it inside the secret and ingress will use that secret run time. Whenever the certificate gets renew secret content will game update while ingress will be using the same secret name.
in the above scenario there no pod restart required.
if you want to read and check the whole example please refer: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
in the above example, Nginx will run without having any certificate in volume while it will use the certificate stored in secret.
For YAML example if issuer and ingress please check : https://stackoverflow.com/a/67184948/5525824