Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support disabling certificate checks for frequently rotated certificates #1791

Closed
bephinix opened this issue Sep 27, 2023 · 1 comment · Fixed by #2232
Closed

Support disabling certificate checks for frequently rotated certificates #1791

bephinix opened this issue Sep 27, 2023 · 1 comment · Fixed by #2232
Assignees
@allanrogerr
Labels
community enhancement New feature or request

Comments

@bephinix
Copy link

Is your feature request related to a problem? Please describe.

We are currently using Hashicorp Vault with Cert-Manager to create, manage and rotate certificates which are used for the external ingress to our minio clusters.
Due to a policy, these certificates are only valid 7 days.
Unfortunately, it is not possible to disable the events created by the minio operator: Minio certificate 'my-minio-cert' is expiring in 6 days.
Therefore the operator will spam these events although this is intended behaviour.

Describe the solution you'd like

Either on operator-level or tenant-level there should be an option to disable these checks and/or to set a custom threshold (e.g. 1 day).

Describe alternatives you've considered

As it is currently hardcoded, there are no alternative solutions:

operator/pkg/controller/custom.go

Lines 109 to 121 in b7f6870

if expiresInDays >= 10 && expiresInDays < 30 {
c.RegisterEvent(ctx, tenant, corev1.EventTypeWarning, "CertificateExpiring", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
}
if expiresInDays > 0 && expiresInDays < 10 {
c.RegisterEvent(ctx, tenant, corev1.EventTypeWarning, "CertificateExpiryImminent", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
}
if expiresInDays > 0 && expiresInDays < 1 {
expiresInHuman = fmt.Sprintf("%v hours, %v minutes, and %v seconds", expiresInHours, expiresInMinutes, expiresInSeconds)
}
if expiresInDays <= 0 {
c.RegisterEvent(ctx, tenant, corev1.EventTypeWarning, "CertificateExpired", fmt.Sprintf("%s certificate '%s' has expired", certType, secret.Name))
expiresInHuman = "EXPIRED"
}

Additional context

Hashicorp Vault recommends issuing short-lived certificates using their PKI mount:
https://developer.hashicorp.com/vault/tutorials/secrets-management/pki-engine
This works fine for other services, e.g. Traefik Ingress etc.
@jiuker jiuker added enhancement New feature or request and removed triage labels Oct 7, 2023
@cesnietor
Copy link
Contributor

We'll consider adding a min and max expiration values. Minimum would be 1. @allanrogerr

This was referenced Jul 22, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@allanrogerr allanrogerr

Labels
community enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Control the start of event reporting for expiring certificates allanrogerr/operator
4 participants
@cesnietor @jiuker @allanrogerr @bephinix