Skip to content

Rotation notifications don't pass endpoint context to notification plugins #5346

New issue
New issue
Open
Open
Rotation notifications don't pass endpoint context to notification plugins#5346
@gijzelaerr

Description

@gijzelaerr
gijzelaerr
opened on Mar 2, 2026

Problem

When Lemur sends a rotation notification, the notification plugin receives the certificate data but not the endpoint being rotated. This makes it impossible for notification plugins to include useful operational context like which load balancer or infrastructure component is being updated.

The flow is:

  1. certificate_rotate celery task calls request_rotation() with the endpoint and certificate
  2. request_rotation() calls send_rotation_notification(certificate) — only the certificate is passed
  3. send_rotation_notification() in messaging.py calls send_default_notification("rotation", data, ...) — no endpoint
  4. send_default_notification() calls plugin.send(notification_type, data, targets, options, **kwargs) — no endpoint in kwargs

The **kwargs plumbing exists all the way through, but the endpoint is never passed into the chain.

Impact

Notification plugins that want to show which endpoint is being rotated (e.g. "Rotating certificate on load balancer X in project Y") cannot do so through the standard notification interface. For example, a Slack notification plugin could produce much more actionable messages if it knew which endpoint triggered the rotation.

Proposed fix

Pass endpoint through the notification chain. The change is small — in certificates/cli.py, pass the endpoint to send_rotation_notification(), and thread it through messaging.py into the plugin's send() call via **kwargs:

# messaging.py — send_rotation_notification()
def send_rotation_notification(certificate, endpoint=None):
    data = certificate_notification_output_schema.dump(certificate).data
    data["security_email"] = current_app.config.get("LEMUR_SECURITY_TEAM_EMAIL")
    email_tags = {...}
    return send_default_notification("rotation", data, [data["owner"]], email_tags=email_tags, endpoint=endpoint)

This is backwards compatible — existing plugins that don't accept endpoint already handle **kwargs in their send() signature, and the NotificationPlugin base class accepts **kwargs too.

Happy to submit a PR for this if you're interested.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions