Skip to content

Commit

Permalink
Control the start of event reporting for expiring certificates
Browse files Browse the repository at this point in the history
  • Loading branch information
allanrogerr committed Jul 22, 2024
1 parent b035a91 commit 8362bfe
Show file tree
Hide file tree
Showing 7 changed files with 31 additions and 7 deletions.
3 changes: 3 additions & 0 deletions examples/kustomization/base/tenant.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,9 @@ spec:
## Enable automatic Kubernetes based certificate generation and signing as explained in
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: true
# The minimum number of days to expiry before an alert for an expiring certificate is fired.
# In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
# certExpiryAlertThreshold: 1
## Prometheus setup for MinIO Tenant.
# prometheus:
# image: "" # defaults to quay.io/prometheus/prometheus:RELEASE.2024-07-11T18-01-28Z
Expand Down
3 changes: 3 additions & 0 deletions helm/operator/templates/minio.min.io_tenants.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -875,6 +875,9 @@ spec:
type: string
type: array
type: object
certExpiryAlertThreshold:
format: int32
type: integer
configuration:
properties:
name:
Expand Down
3 changes: 3 additions & 0 deletions helm/tenant/templates/tenant.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,9 @@ spec:
externalCertSecret: {{- toYaml . | nindent 6 }}
{{- end }}
requestAutoCert: {{ dig "certificate" "requestAutoCert" false . }}
{{- if ((.certificate).certExpiryAlertThreshold) }}
certExpiryAlertThreshold: {{ ((.certificate).certExpiryAlertThreshold) }}
{{- end }}
{{- if dig "s3" "bucketDNS" false . }}
{{- fail "Value 'tenant.s3.bucketDNS' is deprecated since Operator v4.3.2, use 'tenant.features.bucketDNS' instead" }}
{{- end }}
Expand Down
4 changes: 4 additions & 0 deletions helm/tenant/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,10 @@ tenant:
# Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__
requestAutoCert: true
###
# The minimum number of days to expiry before an alert for an expiring certificate is fired.
# In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
# certExpiryAlertThreshold: 1
###
# This field is used only when ``requestAutoCert: true``.
# Use this field to set CommonName for the auto-generated certificate.
# MinIO defaults to using the internal Kubernetes DNS name for the pod
Expand Down
4 changes: 4 additions & 0 deletions pkg/apis/minio.min.io/v2/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,10 @@ type TenantSpec struct {
// +optional
RequestAutoCert *bool `json:"requestAutoCert,omitempty"`

// CertExpiryAlertThreshold is the minimum number of days to expiry before an alert for an expiring certificate is fired.
// +optional
CertExpiryAlertThreshold *int32 `json:"certExpiryAlertThreshold,omitempty"`

// Liveness Probe for container liveness. Container will be restarted if the probe fails.
// +optional
Liveness *corev1.Probe `json:"liveness,omitempty"`
Expand Down
18 changes: 11 additions & 7 deletions pkg/controller/custom.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,23 +102,27 @@ func (c *Controller) getCustomCertificates(ctx context.Context, tenant *miniov2.
}
// Register event in case of certificate expiring
expiresIn := time.Until(cert.NotAfter)
expiresInDays := int64(expiresIn.Hours() / 24)
expiresInDays := int32(expiresIn.Hours() / 24)
expiresInHours := int64(math.Mod(expiresIn.Hours(), 24))
expiresInMinutes := int64(math.Mod(expiresIn.Minutes(), 60))
expiresInSeconds := int64(math.Mod(expiresIn.Seconds(), 60))
expiresInHuman := fmt.Sprintf("%v days, %v hours, %v minutes, %v seconds", expiresInDays, expiresInHours, expiresInMinutes, expiresInSeconds)

if expiresInDays >= 10 && expiresInDays < 30 {
c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiring", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
}
if expiresInDays > 0 && expiresInDays < 10 {
c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiryImminent", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
if tenant.Spec.CertExpiryAlertThreshold == nil || expiresInDays < *tenant.Spec.CertExpiryAlertThreshold {
if expiresInDays >= 10 && expiresInDays < 30 {
c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiring", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
}
if expiresInDays > 0 && expiresInDays < 10 {
c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpiryImminent", fmt.Sprintf("%s certificate '%s' is expiring in %d days", certType, secret.Name, expiresInDays))
}
if expiresIn <= 0 {
c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpired", fmt.Sprintf("%s certificate '%s' has expired", certType, secret.Name))
}
}
if expiresIn > 0 && expiresIn < 24*time.Hour {
expiresInHuman = fmt.Sprintf("%v hours, %v minutes, and %v seconds", expiresInHours, expiresInMinutes, expiresInSeconds)
}
if expiresIn <= 0 {
c.recorder.Event(tenant, corev1.EventTypeWarning, "CertificateExpired", fmt.Sprintf("%s certificate '%s' has expired", certType, secret.Name))
expiresInHuman = "EXPIRED"
}

Expand Down
3 changes: 3 additions & 0 deletions resources/base/crds/minio.min.io_tenants.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -875,6 +875,9 @@ spec:
type: string
type: array
type: object
certExpiryAlertThreshold:
format: int32
type: integer
configuration:
properties:
name:
Expand Down

0 comments on commit 8362bfe

Please sign in to comment.