Fix webhook service rotation to renew within 24h of expiry

Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>

Author: Per Goncalves da Silva

internal/operator-controller/rukpak/render/certproviders/certmanager.go

@@ -55,6 +55,7 @@ func (p CertManagerCertificateProvider) AdditionalObjects(cfg render.Certificate
 	// OLMv0 parity:
 	// - self-signed issuer
 	// - 2 year rotation period
+	// - renew 24h before expiry
 	// - CN: argocd-operator-controller-manager-service.argocd (<deploymentName>-service.<namespace>)
 	// - CA: false
 	// - DNS:argocd-operator-controller-manager-service.argocd, DNS:argocd-operator-controller-manager-service.argocd.svc, DNS:argocd-operator-controller-manager-service.argocd.svc.cluster.local
@@ -165,6 +166,9 @@ func (p CertManagerCertificateProvider) AdditionalObjects(cfg render.Certificate
 			Duration: &metav1.Duration{
 				Duration: olmv0RotationPeriod,
 			},
+			RenewBefore: &metav1.Duration{
+				Duration: 24 * time.Hour,
+			},
 		},
 	}
 	certObj, err := util.ToUnstructured(certificate)

internal/operator-controller/rukpak/render/certproviders/certmanager_test.go

@@ -143,6 +143,10 @@ func Test_CertManagerProvider_AdditionalObjects(t *testing.T) {
 					// OLMv0 has a 2 year certificate rotation period
 					Duration: 730 * 24 * time.Hour,
 				},
+				RenewBefore: &metav1.Duration{
+					// OLMv0 reviews 24h before expiry
+					Duration: 24 * time.Hour,
+				},
 			},
 		}),
 	}, objs)