slauger
diff --git a/‎api/v1alpha1/certificate_types.go‎
Lines changed: 9 additions & 1 deletion b/‎api/v1alpha1/certificate_types.go‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎charts/openvox-operator/crds/openvox.voxpupuli.org_certificates.yaml‎
Lines changed: 8 additions & 0 deletions b/‎charts/openvox-operator/crds/openvox.voxpupuli.org_certificates.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/crd/bases/openvox.voxpupuli.org_certificates.yaml‎
Lines changed: 8 additions & 0 deletions b/‎config/crd/bases/openvox.voxpupuli.org_certificates.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎docs/guides/ca-import.md‎
Lines changed: 16 additions & 65 deletions b/‎docs/guides/ca-import.md‎
Lines changed: 16 additions & 65 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎images/openvox-agent/Containerfile‎
Lines changed: 1 addition & 1 deletion b/‎images/openvox-agent/Containerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎images/openvox-db/Containerfile‎
Lines changed: 1 addition & 1 deletion b/‎images/openvox-db/Containerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎images/openvox-e2e-code/Containerfile‎
Lines changed: 1 addition & 1 deletion b/‎images/openvox-e2e-code/Containerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎images/openvox-mock/Containerfile‎
Lines changed: 1 addition & 1 deletion b/‎images/openvox-mock/Containerfile‎
Lines changed: 1 addition & 1 deletion
@@ -69,17 +69,25 @@ type CertificateSpec struct {
 	// CSRExtensions defines Puppet CSR extension attributes to embed in the CSR.
 	// +optional
 	CSRExtensions *CSRExtensionsSpec `json:"csrExtensions,omitempty"`
+
+	// RenewBefore is the duration before expiration when the certificate should be renewed.
+	// Uses duration format: "60d", "30d", "720h".
+	// +kubebuilder:default="60d"
+	// +kubebuilder:validation:Pattern=`^\d+[smhdy]$`
+	// +optional
+	RenewBefore string `json:"renewBefore,omitempty"`
 }
 
 // CertificatePhase represents the current lifecycle phase of a Certificate.
-// +kubebuilder:validation:Enum=Pending;Requesting;WaitingForSigning;Signed;Error
+// +kubebuilder:validation:Enum=Pending;Requesting;WaitingForSigning;Signed;Renewing;Error
 type CertificatePhase string
 
 const (
 	CertificatePhasePending           CertificatePhase = "Pending"
 	CertificatePhaseRequesting        CertificatePhase = "Requesting"
 	CertificatePhaseWaitingForSigning CertificatePhase = "WaitingForSigning"
 	CertificatePhaseSigned            CertificatePhase = "Signed"
+	CertificatePhaseRenewing          CertificatePhase = "Renewing"
 	CertificatePhaseError             CertificatePhase = "Error"
 )
 
 
@@ -95,6 +95,13 @@ spec:
                 items:
                   type: string
                 type: array
+              renewBefore:
+                default: 60d
+                description: |-
+                  RenewBefore is the duration before expiration when the certificate should be renewed.
+                  Uses duration format: "60d", "30d", "720h".
+                pattern: ^\d+[smhdy]$
+                type: string
             required:
             - authorityRef
             type: object
@@ -169,6 +176,7 @@ spec:
                 - Requesting
                 - WaitingForSigning
                 - Signed
+                - Renewing
                 - Error
                 type: string
               secretName:
 
@@ -95,6 +95,13 @@ spec:
                 items:
                   type: string
                 type: array
+              renewBefore:
+                default: 60d
+                description: |-
+                  RenewBefore is the duration before expiration when the certificate should be renewed.
+                  Uses duration format: "60d", "30d", "720h".
+                pattern: ^\d+[smhdy]$
+                type: string
             required:
             - authorityRef
             type: object
@@ -169,6 +176,7 @@ spec:
                 - Requesting
                 - WaitingForSigning
                 - Signed
+                - Renewing
                 - Error
                 type: string
               secretName:
 
@@ -1,11 +1,6 @@
 # Importing or Connecting an External CA
 
-This guide covers two approaches for using an existing Puppet or OpenVox CA with the operator:
-
-1. **CA Import** -- copy existing CA data into the operator-managed PVC (one-time migration)
-2. **External CA** -- point the operator at a running CA outside the cluster (ongoing delegation)
-
-## Option A: CA Import (One-Time Migration)
+## CA Import (One-Time Migration)
 
 If you have an existing CA and want the operator to manage it going forward, you can import the CA data into the operator's PVC.
 
@@ -68,7 +63,7 @@ If you have an existing CA and want the operator to manage it going forward, you
 
 3. The CA setup Job will detect existing data and skip regeneration. The operator will create the corresponding Secrets and transition to `Ready`.
 
-## Option B: External CA (Ongoing Delegation)
+## External CA (Ongoing Delegation)
 
 If you have a Puppet/OpenVox CA running outside the cluster and want to keep using it, configure `spec.external` on the `CertificateAuthority` resource. The operator will delegate CSR signing and CRL fetching to the external CA URL.
 
@@ -78,14 +73,20 @@ If you have a Puppet/OpenVox CA running outside the cluster and want to keep usi
 - The CA's public certificate (`ca_crt.pem`)
 - (Optional) A client certificate and key for mTLS authentication
 
+!!! tip "Using an existing Puppet CA"
+    On a traditional Puppet CA server, the CA certificate is typically located at `/etc/puppetlabs/puppet/ssl/certs/ca.pem`. You can copy it with:
+    ```bash
+    scp puppet-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem ca_crt.pem
+    ```
+
 ### Steps
 
 1. Create Secrets with the CA certificate and optional client credentials:
 
     ```bash
     # CA certificate for TLS verification
     kubectl create secret generic external-ca-cert \
-      --from-file=ca_crt.pem=/path/to/ca_crt.pem
+      --from-file=ca_crt.pem=ca_crt.pem
 
     # (Optional) Client certificate for mTLS
     kubectl create secret generic external-ca-tls \
@@ -118,6 +119,13 @@ If you have a Puppet/OpenVox CA running outside the cluster and want to keep usi
    - Periodically fetch the CRL from the external CA
    - Route CSR signing requests to the external CA
 
+4. Verify the CA transitions to `External` phase:
+
+    ```bash
+    kubectl get ca external-ca -o jsonpath='{.status.phase}'
+    # Expected: External
+    ```
+
 ### External CA Fields
 
 | Field | Required | Description |
@@ -187,60 +195,3 @@ In a multi-cluster or multi-namespace setup you can run one openvox-stack as the
     ```
 
 5. The secondary stack will now delegate all CSR signing and CRL fetching to the primary CA.
-
-## Using an Existing Puppet CA as External CA
-
-If you already run a traditional Puppet CA (on a VM or bare-metal server) and want to manage Puppet agents via the operator without migrating the CA, you can point the operator at the existing CA.
-
-### Prerequisites
-
-- The Puppet CA server is accessible from the Kubernetes cluster (e.g. `https://puppet-ca.example.com:8140`)
-- You have access to the CA certificate file (typically `/etc/puppetlabs/puppet/ssl/certs/ca.pem` on the Puppet CA server)
-- (Optional) A signed client certificate and key for mTLS if the CA requires client authentication
-
-### Steps
-
-1. Copy the CA certificate from the Puppet CA server:
-
-    ```bash
-    scp puppet-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem ca_crt.pem
-    ```
-
-2. Create the Kubernetes Secrets:
-
-    ```bash
-    # CA certificate for TLS verification
-    kubectl create secret generic puppet-ca-cert \
-      --from-file=ca_crt.pem=ca_crt.pem
-
-    # (Optional) Client certificate for mTLS
-    # Use a signed certificate from the existing Puppet CA
-    kubectl create secret generic puppet-ca-tls \
-      --from-file=tls.crt=/path/to/client.pem \
-      --from-file=tls.key=/path/to/client-key.pem
-    ```
-
-3. Create the `CertificateAuthority` resource:
-
-    ```yaml
-    apiVersion: openvox.voxpupuli.org/v1alpha1
-    kind: CertificateAuthority
-    metadata:
-      name: puppet-ca
-    spec:
-      allowSubjectAltNames: true
-      allowAuthorizationExtensions: true
-      enableInfraCRL: true
-      crlRefreshInterval: 5m
-      external:
-        url: https://puppet-ca.example.com:8140
-        caSecretRef: puppet-ca-cert
-        tlsSecretRef: puppet-ca-tls
-    ```
-
-4. Verify the CA transitions to `External` phase:
-
-    ```bash
-    kubectl get ca puppet-ca -o jsonpath='{.status.phase}'
-    # Expected: External
-    ```
@@ -7,6 +7,7 @@ require (
 	k8s.io/api v0.35.4
 	k8s.io/apimachinery v0.35.4
 	k8s.io/client-go v0.35.4
+	k8s.io/utils v0.0.0-20260319190234-28399d86e0b5
 	sigs.k8s.io/controller-runtime v0.23.3
 	sigs.k8s.io/gateway-api v1.5.1
 )
@@ -96,7 +97,6 @@ require (
 	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf // indirect
-	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect
 	sigs.k8s.io/controller-tools v0.20.1 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 
@@ -263,8 +263,8 @@ k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf h1:btPscg4cMql0XdYK2jLsJcNEKmACJz8l+U7geC06FiM=
 k8s.io/kube-openapi v0.0.0-20260304202019-5b3e3fdb0acf/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
-k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
-k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
+k8s.io/utils v0.0.0-20260319190234-28399d86e0b5 h1:kBawHLSnx/mYHmRnNUf9d4CpjREbeZuxoSGOX/J+aYM=
+k8s.io/utils v0.0.0-20260319190234-28399d86e0b5/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 h1:hSfpvjjTQXQY2Fol2CS0QHMNs/WI1MOSGzCm1KhM5ec=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=
 
@@ -9,7 +9,7 @@
 # renovate: datasource=github-releases depName=OpenVoxProject/openvox versioning=loose
 ARG OPENVOX_AGENT_VERSION=8.25.0
 
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776315208
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994
 
 ARG OPENVOX_AGENT_VERSION
 
 
@@ -14,7 +14,7 @@ ARG OPENVOXDB_VERSION=8.12.1
 ################################################################################
 # Stage: base — JRE + minimal runtime deps
 ################################################################################
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776315208 AS base
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994 AS base
 
 ARG JDK_VERSION=17
 
 
@@ -8,7 +8,7 @@
 #   podman build -t openvox-e2e-code:latest -f images/openvox-e2e-code/Containerfile .
 
 # Stage 1: Install modules with r10k
-FROM registry.access.redhat.com/ubi9/ubi:9.7-1776315208 AS builder
+FROM registry.access.redhat.com/ubi9/ubi:9.7-1776645994 AS builder
 
 RUN dnf module enable ruby:3.3 -y \
     && dnf install -y --setopt=install_weak_deps=False ruby ruby-devel rubygem-bundler git gcc make redhat-rpm-config libffi-devel \
 
@@ -11,7 +11,7 @@ RUN go mod download
 COPY cmd/mock/ cmd/mock/
 RUN CGO_ENABLED=0 go build -o /openvox-mock ./cmd/mock/
 
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776104705
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776645941
 
 LABEL org.opencontainers.image.title="OpenVox Mock" \
       org.opencontainers.image.description="Mock ENC/Report/OpenVox DB receiver for E2E tests" \