refactor: derive certificate expiry buffer from lifetime, add comments

lfrancke · lfrancke · commit a93a7f6a789c · 2026-03-12T11:11:43.000+01:00
diff --git a/crates/stackable-webhook/src/tls/mod.rs b/crates/stackable-webhook/src/tls/mod.rs
@@ -39,14 +39,25 @@ use crate::{
 mod cert_resolver;
 
 pub const WEBHOOK_CA_LIFETIME: Duration = Duration::from_hours_unchecked(24);
-pub const WEBHOOK_CERTIFICATE_LIFETIME: Duration = Duration::from_hours_unchecked(24);
 
-/// How often to check whether the certificate needs rotation (5 minutes).
+/// The wall-clock lifetime of generated webhook certificates. If this is ever
+/// reduced, ensure it stays well above [`CERTIFICATE_ROTATION_CHECK_INTERVAL`]
+/// (currently 5 minutes), otherwise the certificate could expire between checks.
+const WEBHOOK_CERTIFICATE_LIFETIME_HOURS: u64 = 24;
+pub const WEBHOOK_CERTIFICATE_LIFETIME: Duration =
+    Duration::from_hours_unchecked(WEBHOOK_CERTIFICATE_LIFETIME_HOURS);
+
+/// How often to check whether the certificate needs rotation. This is
+/// intentionally independent of the certificate lifetime — it controls how
+/// quickly we detect wall-clock drift (from hibernation, VM migration, etc.),
+/// not how long the certificate lives.
 const CERTIFICATE_ROTATION_CHECK_INTERVAL: Duration = Duration::from_minutes_unchecked(5);
 
-/// Rotate the certificate when it is within this buffer of expiry according
-/// to wall-clock time (4 hours before the 24h certificate expires).
-const CERTIFICATE_EXPIRY_BUFFER: Duration = Duration::from_hours_unchecked(4);
+/// Rotate the certificate when less than 1/6 of its lifetime remains
+/// (4 hours for the current 24h lifetime). Derived from
+/// [`WEBHOOK_CERTIFICATE_LIFETIME`] so it scales if the lifetime changes.
+const CERTIFICATE_EXPIRY_BUFFER: Duration =
+    Duration::from_minutes_unchecked(WEBHOOK_CERTIFICATE_LIFETIME_HOURS * 60 / 6);
 
 pub type Result<T, E = TlsServerError> = std::result::Result<T, E>;
 
