Add metrics for expiring certificates and use common prefix for metric names

README.md

@@ -511,6 +511,7 @@ Flags:
       --dns-owner-id string                                ownerId for creating challenge DNSEntries
       --dns.disable-deploy-crds                            disable deployment of required crds for cluster dns
       --dns.id string                                      id for cluster dns
+      --dns.migration-ids string                           migration id for cluster dns
       --force-crd-update                                   enforce update of crds even they are unmanaged
       --grace-period duration                              inactivity grace period for detecting end of cleanup for shutdown
   -h, --help                                               help for cert-controller-manager
@@ -541,12 +542,14 @@ Flags:
       --issuer.precheck-additional-wait duration           additional wait time after DNS propagation check of controller issuer (default 10s)
       --issuer.precheck-nameservers string                 DNS nameservers used for checking DNS propagation. If explicity set empty, it is tried to read them from /etc/resolv.conf of controller issuer (default "8.8.8.8:53,8.8.4.4:53")
       --issuer.propagation-timeout duration                propagation timeout for DNS challenge of controller issuer (default 1m0s)
+      --issuer.renewal-overdue-window duration             certificate is counted as 'renewal overdue' if its validity period is shorter (metrics cert_management_overdue_renewal_certificates) of controller issuer (default 600h0m0s)
       --issuer.renewal-window duration                     certificate is renewed if its validity period is shorter of controller issuer (default 720h0m0s)
       --issuer.secrets.pool.size int                       Worker pool size for pool secrets of controller issuer (default 1)
       --issuers.pool.size int                              Worker pool size for pool issuers
       --kubeconfig string                                  default cluster access
       --kubeconfig.disable-deploy-crds                     disable deployment of required crds for cluster default
       --kubeconfig.id string                               id for cluster default
+      --kubeconfig.migration-ids string                    migration id for cluster default
       --lease-duration duration                            lease duration (default 15s)
       --lease-name string                                  name for lease object
       --lease-renew-deadline duration                      lease renew deadline (default 10s)
@@ -563,6 +566,7 @@ Flags:
       --precheck-additional-wait duration                  additional wait time after DNS propagation check
       --precheck-nameservers string                        DNS nameservers used for checking DNS propagation. If explicity set empty, it is tried to read them from /etc/resolv.conf
       --propagation-timeout duration                       propagation timeout for DNS challenge
+      --renewal-overdue-window duration                    certificate is counted as 'renewal overdue' if its validity period is shorter (metrics cert_management_overdue_renewal_certificates)
       --renewal-window duration                            certificate is renewed if its validity period is shorter
       --secrets.pool.size int                              Worker pool size for pool secrets
       --server-port-http int                               HTTP server port (serving /healthz, /metrics, ...)
@@ -578,11 +582,13 @@ Flags:
       --source string                                      source cluster to watch for ingresses and services
       --source.disable-deploy-crds                         disable deployment of required crds for cluster source
       --source.id string                                   id for cluster source
+      --source.migration-ids string                        migration id for cluster source
       --target string                                      target cluster for certificates
       --target-name-prefix string                          name prefix in target namespace for cross cluster generation
       --target-namespace string                            target namespace for cross cluster generation
       --target.disable-deploy-crds                         disable deployment of required crds for cluster target
       --target.id string                                   id for cluster target
+      --target.migration-ids string                        migration id for cluster target
       --targets.pool.size int                              Worker pool size for pool targets
   -v, --version                                            version for cert-controller-manager
 ```

charts/cert-management/templates/deployment.yaml

@@ -34,6 +34,9 @@ spec:
         args:
         - --name={{ include "cert-management.fullname" . }}
         ### start generated configuration
+        {{- if .Values.configuration.acceptedMaintainers }}
+        - --accepted-maintainers={{ .Values.configuration.acceptedMaintainers }}
+        {{- end }}
         {{- if .Values.configuration.bindAddressHttp }}
         - --bind-address-http={{ .Values.configuration.bindAddressHttp }}
         {{- end }}
@@ -91,6 +94,12 @@ spec:
         {{- if .Values.configuration.dnsId }}
         - --dns.id={{ .Values.configuration.dnsId }}
         {{- end }}
+        {{- if .Values.configuration.dnsMigrationIds }}
+        - --dns.migration-ids={{ .Values.configuration.dnsMigrationIds }}
+        {{- end }}
+        {{- if .Values.configuration.forceCrdUpdate }}
+        - --force-crd-update={{ .Values.configuration.forceCrdUpdate }}
+        {{- end }}
         {{- if .Values.configuration.gracePeriod }}
         - --grace-period={{ .Values.configuration.gracePeriod }}
         {{- end }}
@@ -175,6 +184,9 @@ spec:
         {{- if .Values.configuration.issuerPropagationTimeout }}
         - --issuer.propagation-timeout={{ .Values.configuration.issuerPropagationTimeout }}
         {{- end }}
+        {{- if .Values.configuration.issuerRenewalOverdueWindow }}
+        - --issuer.renewal-overdue-window={{ .Values.configuration.issuerRenewalOverdueWindow }}
+        {{- end }}
         {{- if .Values.configuration.issuerRenewalWindow }}
         - --issuer.renewal-window={{ .Values.configuration.issuerRenewalWindow }}
         {{- end }}
@@ -193,6 +205,9 @@ spec:
         {{- if .Values.configuration.kubeconfigId }}
         - --kubeconfig.id={{ .Values.configuration.kubeconfigId }}
         {{- end }}
+        {{- if .Values.configuration.kubeconfigMigrationIds }}
+        - --kubeconfig.migration-ids={{ .Values.configuration.kubeconfigMigrationIds }}
+        {{- end }}
         {{- if .Values.configuration.leaseDuration }}
         - --lease-duration={{ .Values.configuration.leaseDuration }}
         {{- end }}
@@ -238,6 +253,9 @@ spec:
         {{- if .Values.configuration.propagationTimeout }}
         - --propagation-timeout={{ .Values.configuration.propagationTimeout }}
         {{- end }}
+        {{- if .Values.configuration.renewalOverdueWindow }}
+        - --renewal-overdue-window={{ .Values.configuration.renewalOverdueWindow }}
+        {{- end }}
         {{- if .Values.configuration.renewalWindow }}
         - --renewal-window={{ .Values.configuration.renewalWindow }}
         {{- end }}
@@ -283,6 +301,9 @@ spec:
         {{- if .Values.configuration.sourceId }}
         - --source.id={{ .Values.configuration.sourceId }}
         {{- end }}
+        {{- if .Values.configuration.sourceMigrationIds }}
+        - --source.migration-ids={{ .Values.configuration.sourceMigrationIds }}
+        {{- end }}
         {{- if .Values.configuration.target }}
         - --target={{ .Values.configuration.target }}
         {{- end }}
@@ -298,6 +319,9 @@ spec:
         {{- if .Values.configuration.targetId }}
         - --target.id={{ .Values.configuration.targetId }}
         {{- end }}
+        {{- if .Values.configuration.targetMigrationIds }}
+        - --target.migration-ids={{ .Values.configuration.targetMigrationIds }}
+        {{- end }}
         {{- if .Values.configuration.targetsPoolSize }}
         - --targets.pool.size={{ .Values.configuration.targetsPoolSize }}
         {{- end }}

charts/cert-management/values.yaml

@@ -30,6 +30,7 @@ createCRDs:
   certificates: true
 
 configuration:
+  # acceptedMaintainers:
   # bindAddressHttp:
   # cascadeDelete:
   # certClass:
@@ -49,6 +50,8 @@ configuration:
   # dnsOwnerId:
   # dnsDisableDeployCrds:
   # dnsId:
+  # dnsMigrationIds:
+  # forceCrdUpdate:
   # gracePeriod:
   # ingressCertCertClass:
   # ingressCertCertTargetClass:
@@ -77,12 +80,14 @@ configuration:
   # issuerPrecheckAdditionalWait:
   # issuerPrecheckNameservers:
   # issuerPropagationTimeout:
+  # issuerRenewalOverdueWindow:
   # issuerRenewalWindow:
   # issuerSecretsPoolSize:
   # issuersPoolSize:
   # kubeconfig:
   # kubeconfigDisableDeployCrds:
   # kubeconfigId:
+  # kubeconfigMigrationIds:
   # leaseDuration:
   # leaseName:
   # leaseRenewDeadline:
@@ -98,6 +103,7 @@ configuration:
   # precheckAdditionalWait:
   # precheckNameservers:
   # propagationTimeout:
+  # renewalOverdueWindow:
   # renewalWindow:
   # secretsPoolSize:
   serverPortHttp: 8080
@@ -113,11 +119,13 @@ configuration:
   # source:
   # sourceDisableDeployCrds:
   # sourceId:
+  # sourceMigrationIds:
   # target:
   # targetNamePrefix:
   # targetNamespace:
   # targetDisableDeployCrds:
   # targetId:
+  # targetMigrationIds:
   # targetsPoolSize:
   # version: