domino_admin_toolkit.checks.test_tls_secret_expiration module

pydantic model domino_admin_toolkit.checks.test_tls_secret_expiration.TlsSecretExpiryAnalyzer

Bases: AnalyzerBase[TlsSecretRow]

Validates TLS secret certificate expiry with WARN/FAIL tiers.

Fields:

• fail_days (int)

• warn_days (int)

• warn_on_self_signed (bool)

field fail_days: int = 7

field warn_days: int = 30

field warn_on_self_signed: bool = True

analyze(data)

Analyzes one row and returns a list of CheckResult instances.

Return type:

list[CheckResult]

Args:

data: One row dict (TRow). The Runner calls this once per DataFrame row.

Returns:

List[CheckResult]: A list containing the results of the analysis.

Raises:

NotImplementedError: If this method is not implemented by subclasses.

name: ClassVar[str] = 'TlsSecretExpiryAnalyzer'

class domino_admin_toolkit.checks.test_tls_secret_expiration.TlsSecretRow

Bases: TypedDict

cert_field: str

chain_position: str

days_until_expiration: int | None

expiry_date: str

issuer: str

namespace: str

secret_name: str

self_signed: bool

status_detail: str

status_label: str

subject: str

domino_admin_toolkit.checks.test_tls_secret_expiration.test_tls_secret_expiration(tls_secret_data, runner)

Description:

Checks TLS certificate expiry across all cluster namespaces by inspecting kubernetes.io/tls Secrets and their certificate fields (tls.crt, ca.crt, and other PEM-encoded certificate fields). Each certificate in a bundle is evaluated individually, including intermediate CA certs in chains.

Failure Conditions:

• Certificate has already expired

• Certificate expires in fewer than 7 days

Warning Conditions:

• Certificate expires in fewer than 30 days

• Self-signed certificate detected (may be intentional — verify)

Troubleshooting Steps:

1. Inspect a specific cert expiry date: kubectl -n <ns> get secret <name> -o jsonpath=’{.data.tls.crt}’ | base64 -d | openssl x509 -noout -dates

2. For ca.crt fields, replace ‘tls.crt’ with ‘ca.crt’ in the above command

3. If cert-manager manages this cert, check the Certificate CR status: kubectl describe certificate -n <ns> <name>

4. Verify cert-manager is running and healthy: see test_cert_manager.py

5. Check Domino Admin UI → Certificates page for renewal status

Resolution Steps:

1. For cert-manager-managed certs: verify the Issuer/ClusterIssuer is Ready, then trigger manual renewal: kubectl annotate certificate -n <ns> <name> cert-manager.io/issueOnce=true

2. For manually-managed certs: replace the Secret data with a renewed PEM certificate

3. For self-signed certs: confirm this is intentional; consider migrating to a CA-signed cert for production workloads

Required Permissions:

• kubectl read access to Secrets in affected namespaces

• cert-manager Certificate CR read access (if cert-manager is in use)

• Domino platform admin access for certificate management via the Domino UI

See also:

• info/test_certificate_inventory.py — full diagnostic dump with chain validation

• test_domino_url_cert.py — checks the Domino frontend TLS cert via live SSL handshake

• test_cert_manager.py — cert-manager controller and CRD health

References:

• Confluence: Cert-Manager Runbook (page 2716729345)

• Confluence: Admin Toolkit Runbook (page 1164378243)

• Incidents: OT-3366, OT-3551, OT-3440, DOM-71255

domino_admin_toolkit.checks.test_tls_secret_expiration.tls_secret_data(certificate_inventory_data)

Derive TLS secret expiry data from the certificate inventory (shared K8s pass).