CertificateApproachingExpiration alert fires even if there is a valid overlapping cert in the secret #175
Description
When a secret's cert is about to be expired, the CertificateApproachingExpiration is set to fire, but it currently does not check if there are other overlapping certs to the same service.
kubevirt related repo's that work with this mechanism: https://github.com/k8snetworkplumbingwg/kubemacpool.
Background:
It is possible to add multiple certificates to a secret that overlap in expiration - that is done in order to ensure the during rotation - there is no transient time where there is no valid cert.
The idea is that when "renewBefore" period comes, instead of replacing the "soon to be expired" certificate - you add a new cert and add it to the cert. When the "duration" of the "soon to be expired" cert expires, it is removed, and only latterly added is left. This cycle continues, keeping the connection always left with valid certifications.
The Problem:
This overlapping rotating mechanism, while valid, is conflicting with the current logic of the CertificateApproachingExpiration alert, as it only looks at the first cert on the secret.
This could lead to a false positive firing of the alert.