From c11ac7d486ec5cfbcc33b2b5862766b8612bf6b7 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 22 May 2026 15:00:41 +0000
Subject: [PATCH] cnpg: bump webhook-cert renewal threshold 7d -> 30d

Root cause of the recurring 'cnpg-webhook-cert' TLS expiry warn:

CNPG default 'expiringCheckThreshold = 7' means the operator only
regenerates the self-signed webhook cert when remaining lifetime drops
BELOW 7 days. Our cluster-health check #22 alerts at <30d. Result:
~23 days of WARN before CNPG would even attempt rotation.

Set EXPIRING_CHECK_THRESHOLD=30 via the chart's config.data map so the
operator now regenerates with 30d buffer, aligning with our monitoring
threshold. Cert lifetime stays at chart default 90d.

Verified after apply: operator runtime config shows
'expiringCheckThreshold:30'. Companion in-session action: deleted the
existing soon-to-expire secret and bounced the operator to force an
immediate fresh 90-day cert (notBefore=May 22, notAfter=Aug 20).
---
 stacks/cnpg/modules/cnpg/main.tf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/stacks/cnpg/modules/cnpg/main.tf b/stacks/cnpg/modules/cnpg/main.tf
index 8f16262f..c6b9a595 100644
--- a/stacks/cnpg/modules/cnpg/main.tf
+++ b/stacks/cnpg/modules/cnpg/main.tf
@@ -47,6 +47,16 @@ resource "helm_release" "cnpg" {
         memory = "256Mi"
       }
     }
+
+    # Tune webhook-cert renewal threshold. CNPG default is 7 days remaining,
+    # which leaves no buffer when the cluster-health check (#22) flags
+    # certs at <30d. Bump to 30 days so the operator rotates well before
+    # external monitoring notices. Cert lifetime stays at chart default 90d.
+    config = {
+      data = {
+        EXPIRING_CHECK_THRESHOLD = "30"
+      }
+    }
   })]
 }