Expiry alert firing before cert lifecycle #180
Description
- There is prometheusrule created and managed by operator that uses default expr:
cert:time_to_expiration:sec / cert:validity_duration:sec < 0.15
Which is working, but it fires before real lifecycle (set or managed by diffrent operator for example) can take place. Which results in "false" alert.
cert:time_to_expiration:sec / cert:validity_duration:sec < 0.15 could be a lot different result considering 1y or 3months.
I havent found a way to adjust the alert, if its true could we ask for this to be editable ?
Problem
cert-utils-operator ships a PrometheusRule named cert-utils-operator-certificate-rule-alerts.
The CertificateApproachingExpiration rule fires when
cert:time_to_expiration:sec / cert:validity_duration:sec < 0.15
For certificates rotated automatically by other operators (e.g. Mariadb-operator webhooks) this triggers well before its renewed.
Request
Option A — expose the threshold as a configurable field/annotation so cluster admins can align it with their rotation window.
Impact if unchanged
Persistent warning alerts every renewal cycle; teams become desensitised and may ignore genuine expiration problems.