fix: reduce TLS certificate duration from 10 years to 1 year

enriqueavindi · enriqueavindi · commit 687b3c4d12d4 · 2026-03-16T11:53:50.000+01:00
- Change certificate duration from 87600h (10y) to 8760h (1y)
- Shorter-lived certificates reduce the attack surface if a private
  key is compromised, following security best practices
- cert-manager will still auto-renew 30 days before expiry
diff --git a/internal/resources/generate_resources_pod_mutating_webhooks.go b/internal/resources/generate_resources_pod_mutating_webhooks.go
@@ -147,10 +147,10 @@ func CreateCertificate(name string, svc corev1.Service) *certmanager.Certificate
 		Spec: certmanager.CertificateSpec{
 			SecretName: name + "-webhook-secret",
 			Duration: &metav1.Duration{
-				Duration: 87600 * time.Hour,
+				Duration: 8760 * time.Hour, // 1 year
 			},
 			RenewBefore: &metav1.Duration{
-				Duration: 720 * time.Hour,
+				Duration: 720 * time.Hour, // 30 days
 			},
 			DNSNames: []string{
 				svc.Name + "." + svc.Namespace + ".svc",
