Control the start of event reporting for expiring certificates (#2232)

allanrogerr · web-flow · commit 2c72c36b6b30 · 2024-07-23T13:36:11.000Z
diff --git a/examples/kustomization/base/tenant.yaml b/examples/kustomization/base/tenant.yaml
@@ -224,6 +224,9 @@ spec:
   ## Enable automatic Kubernetes based certificate generation and signing as explained in
   ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
   requestAutoCert: true
+  # The minimum number of days to expiry before an alert for an expiring certificate is fired.
+  # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
+  # certExpiryAlertThreshold: 1
   ## Prometheus setup for MinIO Tenant.
   #  prometheus:
   #    image: "" # defaults to quay.io/prometheus/prometheus:RELEASE.2024-07-16T23-46-41Z
diff --git a/helm/operator/templates/minio.min.io_tenants.yaml b/helm/operator/templates/minio.min.io_tenants.yaml
@@ -875,6 +875,9 @@ spec:
                       type: string
                     type: array
                 type: object
+              certExpiryAlertThreshold:
+                format: int32
+                type: integer
               configuration:
                 properties:
                   name:
diff --git a/helm/tenant/templates/tenant.yaml b/helm/tenant/templates/tenant.yaml
@@ -94,6 +94,9 @@ spec:
   externalCertSecret: {{- toYaml . | nindent 6 }}
   {{- end }}
   requestAutoCert: {{ dig "certificate" "requestAutoCert" false . }}
+  {{- if ((.certificate).certExpiryAlertThreshold) }}
+  certExpiryAlertThreshold: {{ ((.certificate).certExpiryAlertThreshold) }}
+  {{- end }}
   {{- if dig "s3" "bucketDNS" false . }}
     {{- fail "Value 'tenant.s3.bucketDNS' is deprecated since Operator v4.3.2, use 'tenant.features.bucketDNS' instead" }}
   {{- end }}
diff --git a/helm/tenant/values.yaml b/helm/tenant/values.yaml
@@ -268,6 +268,10 @@ tenant:
     # Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__
     requestAutoCert: true
     ###
+    # The minimum number of days to expiry before an alert for an expiring certificate is fired.
+    # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
+    # certExpiryAlertThreshold: 1
+    ###
     # This field is used only when ``requestAutoCert: true``.
     # Use this field to set CommonName for the auto-generated certificate. 
     # MinIO defaults to using the internal Kubernetes DNS name for the pod
diff --git a/pkg/apis/minio.min.io/v2/types.go b/pkg/apis/minio.min.io/v2/types.go
@@ -235,6 +235,10 @@ type TenantSpec struct {
 	// +optional
 	RequestAutoCert *bool `json:"requestAutoCert,omitempty"`
 
+	// CertExpiryAlertThreshold is the minimum number of days to expiry before an alert for an expiring certificate is fired.
+	// +optional
+	CertExpiryAlertThreshold *int32 `json:"certExpiryAlertThreshold,omitempty"`
+
 	// Liveness Probe for container liveness. Container will be restarted if the probe fails.
 	// +optional
 	Liveness *corev1.Probe `json:"liveness,omitempty"`
diff --git a/pkg/controller/custom.go b/pkg/controller/custom.go
@@ -102,23 +102,27 @@ func (c *Controller) getCustomCertificates(ctx context.Context, tenant *miniov2.
 				}
 				// Register event in case of certificate expiring
 				expiresIn := time.Until(cert.NotAfter)
-				expiresInDays := int64(expiresIn.Hours() / 24)
+				expiresInDays := int32(expiresIn.Hours() / 24)
 				expiresInHours := int64(math.Mod(expiresIn.Hours(), 24))
 				expiresInMinutes := int64(math.Mod(expiresIn.Minutes(), 60))
 				expiresInSeconds := int64(math.Mod(expiresIn.Seconds(), 60))
 				expiresInHuman := fmt.Sprintf("%v days, %v hours, %v minutes, %v seconds", expiresInDays, expiresInHours, expiresInMinutes, expiresInSeconds)
 
-				if expiresInDays >= 10 && expiresInDays < 30 {
-					c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiring", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
-				}
-				if expiresInDays > 0 && expiresInDays < 10 {
-					c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiryImminent", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
+				if tenant.Spec.CertExpiryAlertThreshold == nil || expiresInDays < *tenant.Spec.CertExpiryAlertThreshold {
+					if expiresInDays >= 10 && expiresInDays < 30 {
+						c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiring", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
+					}
+					if expiresInDays > 0 && expiresInDays < 10 {
+						c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiryImminent", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
+					}
+					if expiresIn <= 0 {
+						c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpired", fmt.Sprintf("%s certificate '%s' has expired", certType, secret.Name))
+					}
 				}
 				if expiresIn > 0 && expiresIn < 24*time.Hour {
 					expiresInHuman = fmt.Sprintf("%v hours, %v minutes, and %v seconds", expiresInHours, expiresInMinutes, expiresInSeconds)
 				}
 				if expiresIn <= 0 {
-					c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpired", fmt.Sprintf("%s certificate '%s' has expired", certType, secret.Name))
 					expiresInHuman = "EXPIRED"
 				}
 
diff --git a/resources/base/crds/minio.min.io_tenants.yaml b/resources/base/crds/minio.min.io_tenants.yaml
@@ -875,6 +875,9 @@ spec:
                       type: string
                     type: array
                 type: object
+              certExpiryAlertThreshold:
+                format: int32
+                type: integer
               configuration:
                 properties:
                   name:
