Before() function , that we are using here, compares if a time has happened before the time provided as the argument and returns false if both times are equal.

We need to trigger cert rotation before/equals/close to actual cert expiration. For that we can compare expiryTime with nextRun using Sub() function.

Also, we came across with a case while rotating root cert every month, helm chart calculated the cronStr as 0 0 */23 * * (i.e. cron gets executed every 1st and 23rd day of the month). Our certificate didn't get rotated and was due expiration on 7th day of the month. Rotation didn't happen by the cronjob that ran on the 1st day of the month and the next run is in 23 days while the certificate is expiring in 6 days. So, to avoid this issue, we should also calculate if the cert is expiring before next-to-next cronjob run.

Jira issue: HELM-28