Add a warning for node certificate expiring within 30 days (DB-138) #3855
Conversation
DB-138 Log a warning when certificates are close to expiry
|
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
2 times, most recently
from
eb65011
to
a849d82
Compare
dhingrak
changed the title
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
from
a849d82
to
2e7d332
Compare
hayley-jean
requested review from
timothycoleman
and removed request for
shaan1337
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
2 times, most recently
from
46a3833
to
02a608b
Compare
| public VerifyNodeCertificateExpiry() { | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
I think it'd be nice to pass _certificateSelector into a new class that is responsible for monitoring the expiry rather than adding the logic to ClusterVNode. _certificateSelector is already passed elsewhere
We can store the ScheduleMessage returned by TimerMessage.Schedule.Create in a member variable and reuse it each time to save on these allocations that will end up in gen2 because they're long lived
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
from
02a608b
to
c038bd7
Compare
There was a problem hiding this comment.
Ah sorry I should have been a bit clearer. The recent changes are a step in the right direction but I meant slightly more. We could have the CertificateExpiryMonitor be a component that communicates with messages (i.e. Handle the VerifyNodeCertificateExpiry and publish the _nodeCertificateExpirySchedule), so the ClusterVNode would wire it up and start it like it does the other major components without having to worry about calling it again after
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
3 times, most recently
from
ec78f55
to
e544b10
Compare
There was a problem hiding this comment.
great thats look good
it would be cool if schedule message construction could be left to the monitor itself as well, then the whole implementation of how it works would be encapsulated away from the ClusterVNode. Then we'd be free to change the implementation of the monitor without it having a knock on effect elsewhere
it would likely make sense to have the Monitor Handle SystemMessage.SystemStart to achieve this
and then we'll be in a good position to write some unit tests for the monitor. if you find that the DateTime.Now call in the monitor is awkward in the test, you can do something like pass a Func to the monitor (which would be () => DateTime.Now in real life) but allows you to control time however you want in the test
one other thing, the monitor can receive the mainbus as a IPublisher rather than IQueuedHandler (all we are going to do with it is publish), and the member variable needn't be called _mainQueue because the monitor doesn't mind what queue it really is (which is nice because it means we can change the details of the ClusterVNode if we want without having a knock on effect on the monitor) so we can just call it _publisher or _output
|
come to think of it the easiest thing to do would probably be to pass a
then the tests will be easy even using DateTIme.now |
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
2 times, most recently
from
e4b826e
to
4d5c287
Compare
dhingrak
force-pushed
the
kunal/notify-certificates-about-to-expire
branch
from
4d5c287
to
3e16399
Compare
|
Thank you so much Tim for your suggestions. |
|
|
||
| if (timeUntilExpiry <= _warningThreshold) { | ||
| _logger.Warning( | ||
| "Certificates are going to expire in {daysUntilExpiry:N1} days", |
There was a problem hiding this comment.
Looks good, I'm happy to merge as-is but I think it would be better to only show the remaining days as whole numbers:
| "Certificates are going to expire in {daysUntilExpiry:N1} days", | |
| "Certificates are going to expire in {daysUntilExpiry:N0} days", |
There was a problem hiding this comment.
(for posterity, it can go either way but seeing 0.4 days is slightly more informative than 0 days)
Fixed: Log a warning when certificates are close to expiry.
Fixes https://linear.app/eventstore/issue/DB-138/log-a-warning-when-certificates-are-close-to-expiry
The goal of this PR is to add a warning daily if the node certificate is going to expire within 30 days.