infra

Viktor Barzin c11ac7d486 cnpg: bump webhook-cert renewal threshold 7d -> 30d Root cause of the recurring 'cnpg-webhook-cert' TLS expiry warn: CNPG default 'expiringCheckThreshold = 7' means the operator only regenerates the self-signed webhook cert when remaining lifetime drops BELOW 7 days. Our cluster-health check #22 alerts at <30d. Result: ~23 days of WARN before CNPG would even attempt rotation. Set EXPIRING_CHECK_THRESHOLD=30 via the chart's config.data map so the operator now regenerates with 30d buffer, aligning with our monitoring threshold. Cert lifetime stays at chart default 90d. Verified after apply: operator runtime config shows 'expiringCheckThreshold:30'. Companion in-session action: deleted the existing soon-to-expire secret and bounced the operator to force an immediate fresh 90-day cert (notBefore=May 22, notAfter=Aug 20).	2026-05-22 15:00:41 +00:00
..
main.tf	cnpg: bump webhook-cert renewal threshold 7d -> 30d	2026-05-22 15:00:41 +00:00

Viktor Barzin c11ac7d486 cnpg: bump webhook-cert renewal threshold 7d -> 30d

Root cause of the recurring 'cnpg-webhook-cert' TLS expiry warn:

CNPG default 'expiringCheckThreshold = 7' means the operator only
regenerates the self-signed webhook cert when remaining lifetime drops
BELOW 7 days. Our cluster-health check #22 alerts at <30d. Result:
~23 days of WARN before CNPG would even attempt rotation.

Set EXPIRING_CHECK_THRESHOLD=30 via the chart's config.data map so the
operator now regenerates with 30d buffer, aligning with our monitoring
threshold. Cert lifetime stays at chart default 90d.

Verified after apply: operator runtime config shows
'expiringCheckThreshold:30'. Companion in-session action: deleted the
existing soon-to-expire secret and bounced the operator to force an
immediate fresh 90-day cert (notBefore=May 22, notAfter=Aug 20).

2026-05-22 15:00:41 +00:00

main.tf

cnpg: bump webhook-cert renewal threshold 7d -> 30d

2026-05-22 15:00:41 +00:00