Add configuration field for alerting days (#176)

* make alerting days configurable * Update charts/internal/shoot-cert-management-seed/templates/configmap-observability.yaml Co-authored-by: Johannes Scheerer <johannes.scheerer@sap.com> * Update docs/usage/alerting.md Co-authored-by: Johannes Scheerer <johannes.scheerer@sap.com> * allow to disable alerting --------- Co-authored-by: Johannes Scheerer <johannes.scheerer@sap.com>
gardener · Jul 24, 2023 · e983c58 · e983c58
1 parent e8223ff
commit e983c58
Show file tree

Hide file tree

Showing 10 changed files with 193 additions and 2 deletions.
diff --git a/charts/internal/shoot-cert-management-seed/templates/configmap-observability.yaml b/charts/internal/shoot-cert-management-seed/templates/configmap-observability.yaml
@@ -30,6 +30,7 @@ data:
         regex: ^(cert_management_.+)$
         action: keep
 
+{{- if gt .Values.configuration.certExpirationAlertDays 0.0 }}
   alerting_rules: |
     cert-controller-manager.rules.yaml: |
       groups:
@@ -44,8 +45,9 @@ data:
             type: seed
             visibility: operator
           annotations:
-            description: Certificate in namespace {{ .Release.Namespace }} will be expired less than {{ .Values.configuration.certExpirationAlertDays }} days.
-            summary: SSL certificate will expire less than {{ .Values.configuration.certExpirationAlertDays }} days
+            description: Certificate in namespace {{ .Release.Namespace }} will expire in less than {{ .Values.configuration.certExpirationAlertDays }} days.
+            summary: TLS certificate will expire in less than {{ .Values.configuration.certExpirationAlertDays }} days
+{{- end }}
 
   dashboard_operators: |
     cert-controller-manager-dashboard.json: |-

diff --git a/docs/usage/alerting.md b/docs/usage/alerting.md
@@ -0,0 +1,33 @@
+---
+title: Changing alerting settings
+level: beginner
+category: Networking
+scope: operator
+publishdate: 2023-07-20
+tags: ["task"]
+description: How to change the alerting on expiring certificates
+---
+
+# Changing alerting settings
+
+Certificates are normally renewed automatically 30 days before they expire.
+As a second line of defense, there is an alerting in Prometheus activated if the certificate is a few days
+before expiration. By default, the alert is triggered 15 days before expiration.
+
+You can configure the days in the `providerConfig` of the extension.
+Setting it to 0 disables the alerting.
+
+In this example, the days are changed to 3 days before expiration.
+
+```yaml
+kind: Shoot
+...
+spec:
+  extensions:
+  - type: shoot-cert-service
+    providerConfig:
+      apiVersion: service.cert.extensions.gardener.cloud/v1alpha1
+      kind: CertConfig
+      alerting:
+        certExpirationAlertDays: 3
+```
diff --git a/example/30-extension.yaml b/example/30-extension.yaml
@@ -39,3 +39,6 @@ spec:
     #  enabled: false
 
     #precheckNameservers: "10.0.0.53,10.123.56.53,8.8.8.8" # optional comma separated list of DNS server IP addresses if public DNS servers are not sufficient for prechecking DNS challenges
+
+    #alerting:
+    #  certExpirationAlertDays: 13
diff --git a/hack/api-reference/service.md b/hack/api-reference/service.md
@@ -98,6 +98,20 @@ string
 challenge before calling ACME CA. Please consider to specify nameservers per issuer instead.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>alerting</code></br>
+<em>
+<a href="#service.cert.extensions.gardener.cloud/v1alpha1.Alerting">
+Alerting
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Alerting contains configuration for alerting of certificate expiration.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="service.cert.extensions.gardener.cloud/v1alpha1.ACMEExternalAccountBinding">ACMEExternalAccountBinding
@@ -144,6 +158,37 @@ encoded data.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="service.cert.extensions.gardener.cloud/v1alpha1.Alerting">Alerting
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#service.cert.extensions.gardener.cloud/v1alpha1.CertConfig">CertConfig</a>)
+</p>
+<p>
+<p>Alerting contains configuration for alerting of certificate expiration.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>certExpirationAlertDays</code></br>
+<em>
+int
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertExpirationAlertDays are the number of days before the certificate expiration date an alert is triggered.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="service.cert.extensions.gardener.cloud/v1alpha1.DNSChallengeOnShoot">DNSChallengeOnShoot
 </h3>
 <p>

diff --git a/pkg/apis/service/types.go b/pkg/apis/service/types.go
@@ -38,6 +38,15 @@ type CertConfig struct {
 	// PrecheckNameservers is used to specify a comma-separated list of DNS servers for checking availability for DNS
 	// challenge before calling ACME CA. Please consider to specify nameservers per issuer instead.
 	PrecheckNameservers *string
+
+	// Alerting contains configuration for alerting of certificate expiration.
+	Alerting *Alerting
+}
+
+// Alerting contains configuration for alerting of certificate expiration.
+type Alerting struct {
+	// CertExpirationAlertDays are the number of days before the certificate expiration date an alert is triggered.
+	CertExpirationAlertDays *int
 }
 
 // IssuerConfig contains information for certificate issuers.

diff --git a/pkg/apis/service/v1alpha1/types.go b/pkg/apis/service/v1alpha1/types.go
@@ -63,6 +63,17 @@ type CertConfig struct {
 	// challenge before calling ACME CA. Please consider to specify nameservers per issuer instead.
 	// +optional
 	PrecheckNameservers *string `json:"precheckNameservers,omitempty"`
+
+	// Alerting contains configuration for alerting of certificate expiration.
+	// +optional
+	Alerting *Alerting `json:"alerting,omitempty"`
+}
+
+// Alerting contains configuration for alerting of certificate expiration.
+type Alerting struct {
+	// CertExpirationAlertDays are the number of days before the certificate expiration date an alert is triggered.
+	// +optional
+	CertExpirationAlertDays *int `json:"certExpirationAlertDays,omitempty"`
 }
 
 // IssuerConfig contains information for certificate issuers.

diff --git a/pkg/apis/service/v1alpha1/zz_generated.conversion.go b/pkg/apis/service/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/service/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/service/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/service/zz_generated.deepcopy.go b/pkg/apis/service/zz_generated.deepcopy.go
diff --git a/pkg/controller/actuator.go b/pkg/controller/actuator.go
@@ -303,6 +303,10 @@ func (a *actuator) createSeedResources(ctx context.Context, certConfig *service.
 		cfg["deactivateAuthorizations"] = *a.serviceConfig.ACME.DeactivateAuthorizations
 	}
 
+	if certConfig.Alerting != nil && certConfig.Alerting.CertExpirationAlertDays != nil {
+		cfg["certExpirationAlertDays"] = *certConfig.Alerting.CertExpirationAlertDays
+	}
+
 	certManagementConfig, err = chart.InjectImages(certManagementConfig, imagevector.ImageVector(), []string{v1alpha1.CertManagementImageName})
 	if err != nil {
 		return fmt.Errorf("failed to find image version for %s: %v", v1alpha1.CertManagementImageName, err)