feat: certificate rotation before expiry #49
Description
Summary
Automatically renew certificates before they expire.
Tasks
- Track certificate expiry dates in Certificate status
- Trigger re-signing when certificates approach expiry (configurable threshold, e.g. 30 days)
- Perform rolling restart of affected Servers after certificate renewal
Operator-side expiry monitoring
The operator currently sets status.notAfter on Certificate and CertificateAuthority resources but has no active monitoring in place:
- No controller watches for approaching certificate expiry
- No Kubernetes Events or alerts are emitted when certificates are about to expire
- Users have no way to know a certificate is about to expire without manually inspecting status fields
Suggested addition
- Add a periodic check (e.g. every hour) that compares
status.notAfteragainst the current time - Emit Warning events at 30/7/1 day thresholds before expiry (e.g.
CertificateExpiringWarning) - This monitoring is independent of the actual renewal mechanism (which may be handled by Puppet auto-renewal) and provides visibility even if renewal is not yet implemented
Refs #34