From 7764e00ab4eaf4356542fd1ec0925703154b62e3 Mon Sep 17 00:00:00 2001
From: k8s-infra-cherrypick-robot
 <90416843+k8s-infra-cherrypick-robot@users.noreply.github.com>
Date: Wed, 29 Nov 2023 09:00:46 -0800
Subject: [PATCH] Comment NGINXCertificateExpiry alert label matcher (#10692)

If a valid certificate is passed via `--default-ssl-certificate` it is
probably desiderable that we check its expiration!

Add a comment to explain that.

Co-authored-by: Leonardo Taccari <leonardo@faire.ai>
---
 charts/ingress-nginx/values.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index 387620bba..06f0f77e9 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -730,6 +730,11 @@ controller:
       #   annotations:
       #     description: bad ingress config - nginx config test failed
       #     summary: uninstall the latest ingress changes to allow config reloads to resume
+      # # By default a fake self-signed certificate is generated as default and
+      # # it is fine if it expires. If `--default-ssl-certificate` flag is used
+      # # and a valid certificate passed please do not filter for `host` label!
+      # # (i.e. delete `{host!="_"}` so also the default SSL certificate is
+      # # checked for expiration)
       # - alert: NGINXCertificateExpiry
       #   expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800
       #   for: 1s