Sometimes kcm deletes and re-creates all certificate Secrets

[whereisaaron]

Every now and them 'kcm' goes a little crazy. It decides that all Secrets are currently unused and deletes them all! Then on the next cycle it realizes that are still in use, and issues/downloads all the certificates again.

I am not sure what the trigger is. I wondered if it get an error from the proxy/API and treating is as an empty list of Ingresses using the certificates.

It is quite disruptive, as it takes down all services for several minutes. (Since they have no certificate for a time.)

...
2017/12/23 07:02:48 Deleting unused secret foo.example.com in namespace default
2017/12/23 07:02:48 Deleting unused secret bar.example.com in namespace default
2017/12/23 07:02:48 Deleting unused secret baz.example.com in namespace default
...
2017/12/23 07:05:49 Creating ACME client for route53 provider for foo.example.com
2017/12/23 07:05:49 Creating ACME client for route53 provider for bar.example.com
2017/12/23 07:05:49 Creating ACME client for route53 provider for baz.example.com
...
2017/12/23 07:05:50 [INFO][foo.example.com] acme: Obtaining bundled SAN certificate
2017/12/23 07:05:50 [INFO][bar.example.com] acme: Obtaining bundled SAN certificate
2017/12/23 07:05:50 [INFO][baz.example.com] acme: Obtaining bundled SAN certificate
...