fix(base-cluster/monitoring): adjust for short-lived certificates#1921
Merged
fix(base-cluster/monitoring): adjust for short-lived certificates#1921
Conversation
Make certificate alerts relative to renewal time, otherwise short-lived certificates always result in alerts.
📝 WalkthroughWalkthroughThe certificate expiration PrometheusRule is updated with two new renewal-based alerts that replace simple expiration checks. CertificatePastRenewalTime triggers when renewal hasn't occurred within 30 minutes, while CertificatePastRenewalTimeHalfwayToExpiration triggers at the midpoint between renewal timestamp and expiration timestamp. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This pull request adjusts certificate expiration monitoring alerts to work correctly with short-lived certificates by making alert thresholds relative to renewal time instead of fixed time periods.
Changes:
- Replaced time-based expiration alerts (14 days, 7 days) with renewal-based alerts
- First alert now triggers when a certificate hasn't been renewed within 30 minutes of its renewal time
- Second alert now triggers when a certificate is halfway between renewal and expiration without being renewed
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
marvinWolff
approved these changes
Jan 19, 2026
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 17, 2026
🤖 I have created a release *beep* *boop* --- ## [11.1.0](base-cluster-v11.0.1...base-cluster-v11.1.0) (2026-03-16) ### Features * **base-cluster/ingress:** add auto detection of need for proxy protocol ([#1951](#1951)) ([a94de1a](a94de1a)) * **base-cluster/ingress:** allow external ingress controller ([#1859](#1859)) ([1442431](1442431)) * **base-cluster/kyverno:** allow setting kyverno resources ([#1986](#1986)) ([71b9db4](71b9db4)) * **base-cluster/monitoring:** add alert about base-cluster updates ([#1937](#1937)) ([a3c63a7](a3c63a7)) * **base-cluster/monitoring:** add alert about deprecated APIs ([#2021](#2021)) ([cb334dd](cb334dd)) ### Bug Fixes * **base-cluster/deadMansSwitch:** fix alertmanager healthchecks URL ([#2019](#2019)) ([d874a56](d874a56)) * **base-cluster/ingress:** disable traefik apiCheck ([#1902](#1902)) ([d45bd69](d45bd69)) * **base-cluster/ingress:** they now have the redirections nested under http ([#1952](#1952)) ([dca2502](dca2502)) * **base-cluster/monitoring:** adjust for short-lived certificates ([#1921](#1921)) ([41062b2](41062b2)) * **base-cluster/monitoring:** only roll out alloy tracing ports if enabled ([#2005](#2005)) ([ea44c4d](ea44c4d)) * **base-cluster:** Revert "chore(base-cluster/dependencies): update helm release traefik to v39 ([#1936](#1936))" ([#1954](#1954)) ([5d2ae36](5d2ae36)) ### Miscellaneous Chores * **base-cluster/dependencies:** update common docker tag to v1.8.0 ([#1939](#1939)) ([38b1c7e](38b1c7e)) * **base-cluster/dependencies:** update docker.io/curlimages/curl docker tag to v8.18.0 ([#1896](#1896)) ([f046977](f046977)) * **base-cluster/dependencies:** update docker.io/grafana/grafana-image-renderer docker tag to v5.0.13 ([#1885](#1885)) ([474e903](474e903)) * **base-cluster/dependencies:** update docker.io/grafana/grafana-image-renderer docker tag to v5.2.3 ([#1897](#1897)) ([84b647b](84b647b)) * **base-cluster/dependencies:** update docker.io/grafana/grafana-image-renderer docker tag to v5.3.0 ([#1922](#1922)) ([ef6f80f](ef6f80f)) * **base-cluster/dependencies:** update docker.io/grafana/grafana-image-renderer docker tag to v5.4.0 ([#1931](#1931)) ([50171d8](50171d8)) * **base-cluster/dependencies:** update docker.io/grafana/grafana-image-renderer docker tag to v5.5.0 ([#1968](#1968)) ([ee276e2](ee276e2)) * **base-cluster/dependencies:** update docker.io/grafana/grafana-image-renderer docker tag to v5.5.1 ([#1988](#1988)) ([f765f5e](f765f5e)) * **base-cluster/dependencies:** update docker.io/vladgh/gpg docker tag to v1.3.7 ([#1886](#1886)) ([4b2c33b](4b2c33b)) * **base-cluster/dependencies:** update helm release alloy to v1.5.2 ([#1891](#1891)) ([41b25e9](41b25e9)) * **base-cluster/dependencies:** update helm release alloy to v1.5.3 ([#1949](#1949)) ([d8bda90](d8bda90)) * **base-cluster/dependencies:** update helm release alloy to v1.6.0 ([#1975](#1975)) ([76632e4](76632e4)) * **base-cluster/dependencies:** update helm release external-dns to v1.20.0 ([#1905](#1905)) ([ff53477](ff53477)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v80.13.3 ([#1892](#1892)) ([9775868](9775868)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v80.14.4 ([#1906](#1906)) ([f62458d](f62458d)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v81 ([#1923](#1923)) ([9e9915d](9e9915d)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v81.2.1 ([#1934](#1934)) ([30fa0dd](30fa0dd)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v81.3.2 ([#1950](#1950)) ([95a9398](95a9398)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v81.5.0 ([#1962](#1962)) ([1a9bab8](1a9bab8)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v81.5.2 ([#1982](#1982)) ([07c2249](07c2249)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v81.6.6 ([#1989](#1989)) ([2bf4f3c](2bf4f3c)) * **base-cluster/dependencies:** update helm release kube-prometheus-stack to v82 ([#1995](#1995)) ([45ef213](45ef213)) * **base-cluster/dependencies:** update helm release loki to v6.49.0 ([#1908](#1908)) ([f36dd6d](f36dd6d)) * **base-cluster/dependencies:** update helm release loki to v6.51.0 ([#1928](#1928)) ([6ac27d6](6ac27d6)) * **base-cluster/dependencies:** update helm release loki to v6.53.0 ([#1974](#1974)) ([0bc6e68](0bc6e68)) * **base-cluster/dependencies:** update helm release oauth2-proxy to v10 ([#1913](#1913)) ([7e551b5](7e551b5)) * **base-cluster/dependencies:** update helm release oauth2-proxy to v10.1.1 ([#1944](#1944)) ([3f97108](3f97108)) * **base-cluster/dependencies:** update helm release oauth2-proxy to v10.1.2 ([#1961](#1961)) ([c0bc91d](c0bc91d)) * **base-cluster/dependencies:** update helm release oauth2-proxy to v10.1.3 ([#1979](#1979)) ([9b95c4b](9b95c4b)) * **base-cluster/dependencies:** update helm release oauth2-proxy to v10.1.4 ([#2001](#2001)) ([8ffa211](8ffa211)) * **base-cluster/dependencies:** update helm release reflector to v10 ([#1924](#1924)) ([0051c34](0051c34)) * **base-cluster/dependencies:** update helm release reflector to v10.0.19 ([#1999](#1999)) ([a2b5189](a2b5189)) * **base-cluster/dependencies:** update helm release reflector to v10.0.2 ([#1935](#1935)) ([333393e](333393e)) * **base-cluster/dependencies:** update helm release reflector to v10.0.4 ([#1956](#1956)) ([3eef9a0](3eef9a0)) * **base-cluster/dependencies:** update helm release reflector to v10.0.8 ([#1978](#1978)) ([b2f97f9](b2f97f9)) * **base-cluster/dependencies:** update helm release reflector to v9.1.45 ([#1893](#1893)) ([ff100d9](ff100d9)) * **base-cluster/dependencies:** update helm release tempo to v1.24.3 ([#1904](#1904)) ([99099bf](99099bf)) * **base-cluster/dependencies:** update helm release tempo to v1.24.4 ([#1957](#1957)) ([7d67bf3](7d67bf3)) * **base-cluster/dependencies:** update helm release tempo to v1.26.1 ([#1976](#1976)) ([517da93](517da93)) * **base-cluster/dependencies:** update helm release tempo to v1.26.7 ([#2000](#2000)) ([6cabd54](6cabd54)) * **base-cluster/dependencies:** update helm release traefik to v38 ([#1914](#1914)) ([106c7cf](106c7cf)) * **base-cluster/dependencies:** update helm release traefik to v39 ([#1936](#1936)) ([5b39257](5b39257)) * **base-cluster/dependencies:** update helm release traefik to v39 ([#1959](#1959)) ([6efe111](6efe111)) * **base-cluster/dependencies:** update helm release traefik to v39.0.1 ([#1992](#1992)) ([27d7316](27d7316)) * **base-cluster/monitoring:** migrate helm repo to new URL ([#1955](#1955)) ([9263d6a](9263d6a)) * **base-cluster/tetragon:** update flux apiVersion ([#1900](#1900)) ([ff93afb](ff93afb)) * **base-cluster:** update kyverno ([#1918](#1918)) ([a503ef6](a503ef6)) * migrate kyverno config ([71b9db4](71b9db4)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Make certificate alerts relative to renewal time, otherwise short-lived
certificates always result in alerts.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.