Notifications
18 event types across Email, Slack, and Microsoft Teams. Templates with Go variables, dead-letter handling, quiet hours, and per-project routing.
01Event catalog
Every notifiable event has a stable name. Subscribe channels to event names with optional severity filters.
| Event | Default severity |
|---|---|
cert.requested | info |
cert.issued | info |
cert.renewal.success | info |
cert.renewal.failed | warn |
cert.renewal.stalled | critical |
cert.expiring.30d / 14d / 3d | info / warn / critical |
cert.expired | critical |
cert.revoked | warn |
distribution.success | info |
distribution.failed | warn |
discovery.finding.new | warn |
discovery.drift | warn |
approval.requested | info |
approval.granted / rejected | info |
kek.rotation.phase | info |
audit.chain.broken | critical |
02Channels
Configure under Settings → Notifications → Channels.
- Email — SMTP host, port, STARTTLS / TLS, auth. Per-recipient lists.
- Slack — incoming webhook URL or Bot OAuth token.
- Microsoft Teams — Workflow URL (Power Automate) or legacy connector.
03Templates
Each event has a default template you can override. Variables are exposed via Go templating:
Subject: [{{.severity | upper}}] {{.event}} — {{.cert.cn}}
The certificate {{.cert.cn}} (issued by {{.cert.issuer}}) is now
{{.cert.status}}.
Project: {{.project}}
Fingerprint: {{.cert.fingerprint_sha256}}
Expires: {{.cert.not_after | date "2006-01-02"}}
Detail: {{.url.cert}}Functions: upper, lower, date, truncate, relative. Per-channel overrides allow distinct formatting for Slack vs email.
04Routing
A route binds events to channels with optional filters:
- Severity at least —
warnfilters outinfonoise. - Project — only match events from
production. - Tag — match certs tagged
tier:tier-0.
Multiple routes can match the same event; each fires independently.
05Quiet hours
Per-route schedule to suppress non-critical events during off-hours. Critical events always fire. Useful for renewal-success spam — fine to suppress, but you still want to hear about cert.renewal.stalled at 3 AM.
06Dead-letter
If a channel fails (Slack 5xx, SMTP refusal), the message is queued to a dead-letter buffer with exponential retry up to 24 h. After 24 h the message is dropped and a notification.delivery.failed audit event records it. Failed deliveries surface under Settings → Notifications → History with their final status and last error.
07Testing a channel
Each channel has a Send test button — fires a fixture event and reports the channel's response. Always click it after creating or editing a channel.