Skip to content

docs: delineate cert health-gating from re-issuance#262

Merged
ecv merged 1 commit into
mainfrom
fix/260-cert-recovery-boundary-docs
Jul 13, 2026
Merged

docs: delineate cert health-gating from re-issuance#262
ecv merged 1 commit into
mainfrom
fix/260-cert-recovery-boundary-docs

Conversation

@ecv

@ecv ecv commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

What

Records the boundary between the two cert-failure paths in the gateway controller with a short comment at each call site. No behavior change — comments only.

  • Health-gating (evaluateListenerCertHealth, call site ~line 279): read-only, gates a listener on any unusable cert (Ready!=True, not-yet-valid, expired, missing secret, corrupt keypair).
  • Fast-track re-issuance (reissueFailedCertificate, call site ~line 950): mutates (delete + gateway annotation bump), fires only on cert-manager hard-fail (LastFailureTime). Expired/missing certs recover via renewal or the ensure loop's isNew path instead.

Why

Resolves the decision in #260 — keep the two paths delineated rather than unified behind a single failure detector. Full rationale and the stuck-state verification are recorded on that issue. Summary:

  • The two paths key off different signals by design; only the narrow LastFailureTime signal should trigger the destructive delete-recreate.
  • Health stays read-only (drives customer-facing status + metrics); re-issuance stays the sole mutator.
  • Verified no truly-stuck state exists within NSO's model at the pinned cert-manager v1.17.2 (every unhealthy branch has a recovery owner).

Test

go build + relevant internal/controller tests pass; no logic touched.

Closes #260

Record the boundary between the two cert-failure paths in the gateway
controller, per the decision in #260: keep them separate rather than
unified behind a single failure detector.

Add a short comment at each call site stating the split and why:
- Health-gating (evaluateListenerCertHealth) is read-only and gates on any
  unusable cert.
- Fast-track re-issuance (reissueFailedCertificate) mutates and fires only
  on cert-manager hard-fail (LastFailureTime); expired or missing certs
  recover via renewal or the isNew path instead.

No behavior change; comments only.
@ecv
ecv marked this pull request as ready for review July 13, 2026 04:11
@ecv

ecv commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

wow, its me suggesting a comment

@ecv
ecv requested a review from scotwells July 13, 2026 19:06
@ecv
ecv enabled auto-merge July 13, 2026 19:07
@ecv
ecv merged commit 4be6b7f into main Jul 13, 2026
10 of 12 checks passed
@ecv
ecv deleted the fix/260-cert-recovery-boundary-docs branch July 13, 2026 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unify or delineate cert-failure recovery: re-issuance (#259) vs health-gating (#212)

2 participants