fix #122 (#126)

* fix #122 Signed-off-by: raffaelespazzoli <raffaele.spazzoli@gmail.com> * fixed label Signed-off-by: raffaelespazzoli <raffaele.spazzoli@gmail.com>
redhat-cop · Mar 6, 2022 · d19be7e · d19be7e
1 parent 098a3d8
commit d19be7e
Showing 1 changed file with 22 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -95,6 +95,28 @@ A such annotated secret looks like the following:
 
 ## Alerting when a certificate is about to expire
 
+This operator can generate Prometheus alerts and/or Kubernetes events when a certifciate is about to expire.
+
+### Generating prometheus alerts
+
+Prometheus alerts are generated for all certificates. In order for the certifciate metrics to be collected and the alerts be generated the Prometheus CRs deployed with this operator must be honored by a [Prometheus operator](https://github.com/prometheus-operator/prometheus-operator). If you are running on OpenShift just add the label ``openshift.io/cluster-monitoring="true"`` to the namespace containing the operator.
+
+The following metrics will be collected for every tls secret:
+
+| Metric Name | Description |
+|:-:|:-:|
+| `certutils_certificate_issue_time` | time at which the certificate was created in seconds from from January 1, 1970 UTC |
+| `certutils_certificate_expiry_time` | time at which the certificate expires in seconds from from January 1, 1970 UTC |
+| `cert:validity_duration:sec` | duration of the certificate validity in seconds |
+| `cert:time_to_expiration:sec` | time left to expiration in seconds |
+
+Alerts will be generated at 85% and 95% of the certifciate lifetime.
+Alerts are generated for all certificates including certifciate that are possibly automatically rotated. This is intentional as the automation that rotates the certificates may be non-functioning.
+
+If these alerts are not useful in your deployment, you can be silenced them in alert-manager as described [here](https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule).
+
+### Generating Kubernetes events
+
 This feature is activated with the following annotation on a `kubernetes.io/tls` secret: `cert-utils-operator.redhat-cop.io/generate-cert-expiry-alert: "true"`.
 
 When this annotation is set the secret will generate a Kubernetes `Warning` Event if the certificate is about to expire.
@@ -113,16 +135,7 @@ Here is an example of a certificate soon-to-expiry event:
 
 ![cert-expiry](media/cert-expiry.png)
 
-In addition to this, This operator generates the following metrics for al TLS certificates:
-
-| Metric Name | Descrption |
-|:-:|:-:|
-| certutils_certificate_issue_time | time at which the certificate was created in seconds from from January 1, 1970 UTC |
-| certutils_certificate_expiry_time | time at which the certificate expires in seconds from from January 1, 1970 UTC |
-| cert:validity_duration:sec | duration of the certificate validity in seconds |
-| cert:time_to_expiration:sec | time left to expiration in seconds |
 
-The operator also sets two alerts that fire respectively when a certificate has 15% and 5% left of its lifetime.
 
 ## CA Injection