cnpg: bump webhook-cert renewal threshold 7d -> 30d

Root cause of the recurring 'cnpg-webhook-cert' TLS expiry warn: CNPG default 'expiringCheckThreshold = 7' means the operator only regenerates the self-signed webhook cert when remaining lifetime drops BELOW 7 days. Our cluster-health check #22 alerts at <30d. Result: ~23 days of WARN before CNPG would even attempt rotation. Set EXPIRING_CHECK_THRESHOLD=30 via the chart's config.data map so the operator now regenerates with 30d buffer, aligning with our monitoring threshold. Cert lifetime stays at chart default 90d. Verified after apply: operator runtime config shows 'expiringCheckThreshold:30'. Companion in-session action: deleted the existing soon-to-expire secret and bounced the operator to force an immediate fresh 90-day cert (notBefore=May 22, notAfter=Aug 20).
2026-05-22 15:00:41 +00:00 · 2026-05-22 15:00:41 +00:00 · c11ac7d486
commit c11ac7d486
parent 96f9db0b13
1 changed files with 10 additions and 0 deletions
--- a/stacks/cnpg/modules/cnpg/main.tf
+++ b/stacks/cnpg/modules/cnpg/main.tf
@ -47,6 +47,16 @@ resource "helm_release" "cnpg" {
        memory = "256Mi"
      }
    }
+
+    # Tune webhook-cert renewal threshold. CNPG default is 7 days remaining,
+    # which leaves no buffer when the cluster-health check (#22) flags
+    # certs at <30d. Bump to 30 days so the operator rotates well before
+    # external monitoring notices. Cert lifetime stays at chart default 90d.
+    config = {
+      data = {
+        EXPIRING_CHECK_THRESHOLD = "30"
+      }
+    }
  })]
 }