Skip to content

✨Add events for automatic certificate rotation in KubeadmControlPlane#13242

Open
VijetaPriya47 wants to merge 5 commits intokubernetes-sigs:mainfrom
VijetaPriya47:feature/add-events-for-automatic-actions
Open

✨Add events for automatic certificate rotation in KubeadmControlPlane#13242
VijetaPriya47 wants to merge 5 commits intokubernetes-sigs:mainfrom
VijetaPriya47:feature/add-events-for-automatic-actions

Conversation

@VijetaPriya47
Copy link
Contributor

@VijetaPriya47 VijetaPriya47 commented Jan 18, 2026
edited
Loading

This commit implements event generation for automatic certificate-related actions in KubeadmControlPlane to improve observability and monitoring.

Events added:

  1. Kubeconfig certificate rotation - Emits events when kubeconfig client certificates are automatically rotated due to approaching expiry
  2. Certificate-expiry-triggered rollouts - Emits double-sided events (on both Machine and KCP) when machines are rolled out due to certificate expiry

Event pattern:
Following the double-sided event pattern from PR #12930:

  • Events on affected objects (Machines) explain why they're being impacted
  • Events on controller objects (KCP) explain what the controller is doing

This improves observability by allowing operators to:

  • See certificate rotation actions in kubectl get events
  • Set up monitoring/alerting on certificate-related events
  • Understand why machines are being rolled out

Which issue(s) this PR fixes

Fixes #11944 (partially - certificate rotation portion)

Note: This PR addresses certificate rotation in KubeadmControlPlane. PR #12930 addresses MachineHealthCheck events.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-area PR is missing an area label size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 18, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 18, 2026

This PR is currently missing an area label, which is used to identify the modified component when generating release notes.

Area labels can be added by org members by writing /area ${COMPONENT} in a comment

Please see the labels list for possible areas.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 18, 2026

Hi @VijetaPriya47. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 18, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@VijetaPriya47
Copy link
Contributor Author

VijetaPriya47 commented Jan 18, 2026

@g-gaston @sivchari @fabriziopandini Could you review this please?

@VijetaPriya47 VijetaPriya47 mentioned this pull request Feb 13, 2026
Closed
@VijetaPriya47
Add event constants for certificate-related automatic actions
36720a6 
This commit adds event constant definitions that will be used to emit
events for automatic certificate-related actions in KubeadmControlPlane:

- EventKubeconfigCertificateRotated: Emitted when kubeconfig certificate
  is automatically rotated due to approaching expiry
- EventKubeconfigCertificateRotationFailed: Emitted when kubeconfig
  certificate rotation fails
- EventCertificateExpiryTriggeredRollout: Emitted when a machine is marked
  for rollout due to certificate expiry approaching the threshold

These constants provide a foundation for improved observability and
monitoring of automatic certificate management operations.
@VijetaPriya47
Add events for kubeconfig certificate rotation
eeb14ea 
This commit implements event generation for automatic kubeconfig certificate
rotation to improve observability and monitoring.

Changes:
- Add klog/v2 import for event message formatting
- Emit EventKubeconfigCertificateRotated (Normal) when kubeconfig certificate
  is successfully rotated due to approaching expiry
- Emit EventKubeconfigCertificateRotationFailed (Warning) when rotation fails

These events help administrators monitor automatic certificate management and
quickly identify any rotation failures that require attention.
@VijetaPriya47
Add double-sided events for certificate expiry triggered rollouts
ce8546b 
This commit implements event generation when machines are rolled out due to
certificate expiry approaching the configured threshold.

Changes:
- Emit double-sided events following the established pattern:
  * Event on Machine (Warning): Notifies the machine why it's being rolled out
  * Event on KCP (Normal): Notifies the administrator what the controller is doing
- Events are only emitted when rollout is specifically due to certificate expiry
  (detected by checking for "certificates will expire soon" or "rolloutBefore expired"
  in the rollout log messages)

This improves observability by making it clear when automatic rollouts are
triggered by certificate expiry, helping administrators understand and monitor
certificate lifecycle management.
sivchari
sivchari reviewed Feb 18, 2026
View reviewed changes
@VijetaPriya47
Fix cert expiry event emission & extract rollout log message
c5cef6a 
Address mentor feedback by:
- Moving kubeconfig rotation success event after RegenerateSecret to prevent publishing success on failure
- Defining CertificateExpiryRolloutLogMessage in internal/filters.go to avoid hardcoded string matching between filters.go and controller.go
@VijetaPriya47 VijetaPriya47 force-pushed the feature/add-events-for-automatic-actions branch from 5010584 to c5cef6a Compare February 20, 2026 10:04
@VijetaPriya47
Copy link
Contributor Author

VijetaPriya47 commented Feb 20, 2026

@sivchari could you review again. I;ve resolved all the changes.

sivchari
sivchari reviewed Mar 10, 2026
View reviewed changes
controlplane/kubeadm/internal/controllers/controller.go Outdated
Comment on lines +542 to +548
isCertExpiryRollout := false
for _, msg := range upToDateResult.LogMessages {
if strings.Contains(msg, internal.CertificateExpiryRolloutLogMessage) {
isCertExpiryRollout = true
break
}
}
Copy link
Member

@sivchari sivchari Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

isCertExpiryRollout := slices.ContainsFunc(upToDateResult.LogMessages, func(msg string) bool {
      return strings.Contains(msg, internal.CertificateExpiryRolloutLogMessage)
  })

It's simpler.

Copy link
Contributor Author

@VijetaPriya47 VijetaPriya47 Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sivchari could you review again? :)

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 10, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 10, 2026
@VijetaPriya47 VijetaPriya47 force-pushed the feature/add-events-for-automatic-actions branch from f1922a1 to b71ef7c Compare March 10, 2026 11:57
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Mar 10, 2026
@sivchari
Copy link
Member

sivchari commented Mar 11, 2026

/lgtm

@sbueringer @fabriziopandini
Please take a look when you have time.
If we decide to merge this PR, I think we also check #12930 .

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 11, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 11, 2026

LGTM label has been added.

DetailsGit tree hash: 6744e591dc05174b9a7a1462f88298ada46d6a5a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@g-gaston g-gaston Awaiting requested review from g-gaston

1 more reviewer

@sivchari sivchari sivchari left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sivchari sivchari

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-area PR is missing an area label lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request for Events Generation for Automatic Changes in Cluster State

3 participants

@VijetaPriya47 @k8s-ci-robot @sivchari