1. Proposed title of this feature request.
Trigger alert when csr-signer CA certificate is about to expire

2. What is the nature and description of the request?
New Feature request to generate/trigger alert when csr-signer CA is about to expire let say in the next 5 days.

3. Why does the customer need this? (List the business requirements here)
At the moment there is no such alert. The customer faced an issue where the exiting csr-signer CA had few hours left for expiry and at the same time kubelet generated CSR for multiple nodes, after approving the CSR, the generated kubelet-client and kubelet-server certificate had few hours of validity which triggered another pair of CSR requests to renew kubelet certificate.

The idea of RFE is just to inform the customers that the CSR-signer CA is near expiry and the rotation is to happen. Customers can then monitor for CA rotation and if it does not happen within the time, they may even raise a case with us to avoid situations where CSR-signer CA with short duration sign kubelet cert with short duration.

4. List any affected packages or components.

csr-signer CA