viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/cnpg
History
Viktor Barzin c11ac7d486 cnpg: bump webhook-cert renewal threshold 7d -> 30d 
Root cause of the recurring 'cnpg-webhook-cert' TLS expiry warn:

CNPG default 'expiringCheckThreshold = 7' means the operator only
regenerates the self-signed webhook cert when remaining lifetime drops
BELOW 7 days. Our cluster-health check #22 alerts at <30d. Result:
~23 days of WARN before CNPG would even attempt rotation.

Set EXPIRING_CHECK_THRESHOLD=30 via the chart's config.data map so the
operator now regenerates with 30d buffer, aligning with our monitoring
threshold. Cert lifetime stays at chart default 90d.

Verified after apply: operator runtime config shows
'expiringCheckThreshold:30'. Companion in-session action: deleted the
existing soon-to-expire secret and bounced the operator to force an
immediate fresh 90-day cert (notBefore=May 22, notAfter=Aug 20).
2026-05-22 15:00:41 +00:00
..
modules/cnpg cnpg: bump webhook-cert renewal threshold 7d -> 30d 2026-05-22 15:00:41 +00:00
main.tf extract remaining 19 modules from platform, complete stack split [ci skip] 2026-03-17 21:42:16 +00:00
secrets extract remaining 19 modules from platform, complete stack split [ci skip] 2026-03-17 21:42:16 +00:00
terragrunt.hcl extract remaining 19 modules from platform, complete stack split [ci skip] 2026-03-17 21:42:16 +00:00