Report

If cert-manager isn't available, the operator generates its own certificates. The expiration date of the generated certificates is based on when the operator was started, not the time when the certificate is generated. This means that if the operator has been running a long time, the certificates will expire much sooner than expected.

More about the problem

I believe this is because in pkg/pxctls/pxctls.go, validityNotAfter is set globally once, not each time when a certificate is generated.

Steps to reproduce

1. Install the PXC operator on a cluster without cert-manager available
2. Wait for a long time (a day at least)
3. Follow https://docs.percona.com/percona-operator-for-mysql/pxc/TLS.html#update-certificates-with-downtime to regenerate certificates
4. Check the certificate expiration time, it will be sooner than expected

Versions

1. Kubernetes 1.21.12
2. Operator 1.11.0
3. Database 8.0.27-18.1

Anything else?

No response