Skip to content

Webhook certificate expiry alerts#23

Merged
videlov merged 4 commits intomainfrom
alert-webhook-cert-expire
May 5, 2026
Merged

Webhook certificate expiry alerts#23
videlov merged 4 commits intomainfrom
alert-webhook-cert-expire

Conversation

@videlov
Copy link
Copy Markdown
Contributor

@videlov videlov commented May 4, 2026

No description provided.

@videlov videlov requested a review from a team as a code owner May 4, 2026 15:21
Copilot AI review requested due to automatic review settings May 4, 2026 15:21
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Prometheus alerting for webhook certificate expiry/rotation in the controlplane-operations Helm chart, and bumps the chart/plugin bundle version to publish the new rules.

Changes:

  • Bumped chart and PluginDefinition versions from 1.1.9 to 1.1.10.
  • Added two new Prometheus alerts for webhook certificate near-expiry and about-to-expire conditions.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
charts/controlplane-operations/plugindefinition.yaml Bumps PluginDefinition and referenced chart version to 1.1.10.
charts/controlplane-operations/Chart.yaml Bumps Helm chart version to 1.1.10.
charts/controlplane-operations/alerts/controlplane-remote.yaml Adds two new Prometheus alert rules for webhook certificate expiry thresholds.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/controlplane-operations/alerts/controlplane-remote.yaml
Comment thread charts/controlplane-operations/alerts/controlplane-remote.yaml
Comment thread charts/controlplane-operations/alerts/controlplane-remote.yaml Outdated
Comment thread charts/controlplane-operations/alerts/controlplane-remote.yaml
goerangudat
goerangudat approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@goerangudat goerangudat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@abhijith-darshan
Copy link
Copy Markdown
Contributor

abhijith-darshan commented May 4, 2026

One question when a root / intermediary CA is used to issue certificates for webhook and they get rotated, cert-manager fails to rotate the issued certs. Have you guys solved this problem somehow?

@videlov
Copy link
Copy Markdown
Contributor Author

videlov commented May 5, 2026
edited
Loading

One question when a root / intermediary CA is used to issue certificates for webhook and they get rotated, cert-manager fails to rotate the issued certs. Have you guys solved this problem somehow?

we generate and rotate a self-signed cert that is also CA completely by ourselfs and we mount it on the disk for the webhook server to automatically fetch/update: https://github.com/SAP-cloud-infrastructure/webhook-injector/blob/fd8a075a009300e5baa6b56917ea63751aa5b6f6/pkg/certificates/generator.go#L65

so basically just 1 certificate and with rotation also works fine without downtime, I haven't tested it, but Fabus did. there is also an e2e tests for it.

videlov added 4 commits May 5, 2026 11:10
@videlov
Webhook certificate expiry alerts (#23)
c6297a9 
Signed-off-by: Vladimir Videlov <vladimir.videlov@sap.com>
@videlov
for
f6cfb5b 
Signed-off-by: Vladimir Videlov <vladimir.videlov@sap.com>
@videlov
fix helm lint
7faa5a8 
Signed-off-by: Vladimir Videlov <vladimir.videlov@sap.com>
@videlov
spell fix
23bc86f 
Signed-off-by: Vladimir Videlov <vladimir.videlov@sap.com>
@videlov videlov force-pushed the alert-webhook-cert-expire branch from 988f597 to 23bc86f Compare May 5, 2026 09:15
@videlov videlov requested review from Copilot and goerangudat May 5, 2026 09:18
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/controlplane-operations/alerts/controlplane-remote.yaml
Comment on lines +73 to +75
expr: |
(webhook_injector_certificate_expiry_time_seconds - time()) < (90 * 24 * 3600 * 0.2)
for: {{ dig "WebhookCertificateNearExpiry" "for" "5m" .Values.prometheusRules }}
@videlov videlov merged commit fb0b74d into main May 5, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@goerangudat goerangudat Awaiting requested review from goerangudat

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@videlov @abhijith-darshan @goerangudat