Skip to content

Expiry alert firing before cert lifecycle #180

Description

@Filipcsupka
  • There is prometheusrule created and managed by operator that uses default expr: cert:time_to_expiration:sec / cert:validity_duration:sec < 0.15
    Which is working, but it fires before real lifecycle (set or managed by diffrent operator for example) can take place. Which results in "false" alert.

cert:time_to_expiration:sec / cert:validity_duration:sec < 0.15 could be a lot different result considering 1y or 3months.

I havent found a way to adjust the alert, if its true could we ask for this to be editable ?

Problem
cert-utils-operator ships a PrometheusRule named cert-utils-operator-certificate-rule-alerts.
The CertificateApproachingExpiration rule fires when

cert:time_to_expiration:sec / cert:validity_duration:sec < 0.15

For certificates rotated automatically by other operators (e.g. Mariadb-operator webhooks) this triggers well before its renewed.

Request
Option A — expose the threshold as a configurable field/annotation so cluster admins can align it with their rotation window.

Impact if unchanged
Persistent warning alerts every renewal cycle; teams become desensitised and may ignore genuine expiration problems.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions