Kubernetes uses PKI certificates for authentication between all major components. These certs are critical for the operation of your cluster but are often opaque to an administrator. This application is designed to parse certificates and export expiration information for Prometheus to scrape.
WARNING If you run this application in your cluster it will probably require elevated privileges of some kind. Additionally you are exposing VERY sensitive information to it. Review the source!
cert-exporter can publish metrics about
- x509 certificates on disk encoded in the PEM format and PKCS12 format
- Certs embedded or referenced from kubeconfig files.
- Certs stored in Kubernetes
- secrets
- direct support for cert-manager
- support for password-protected certificates
- configmaps
- admission webhooks
- cert-manager [CertificateRequest] (https://cert-manager.io/docs/usage/certificaterequest/)
- secrets
- Certs stored in AWS Secrets manager
See deployment for detailed information on running cert-exporter and examples of running it in a kops cluster.
See custom-secrets for examples of how to run cert-exporter
to scrape certificates in secrets managed by you (not cert-manager).
To enable and scrape certificates from AWS secrets, do the following:
go run main.go --aws-account=<account_number> --aws-region=<region> --aws-secret=<secret_name_1> [--aws-secret=<secret_name_2>]
Of course, AWS credentials must be configured. See https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html
helm repo add cert-exporter https://joe-elliott.github.io/cert-exporter/
helm repo update
helm upgrade --install cert-exporter cert-exporter/cert-exporter
After running cert-exporter in your cluster it's easy to build a custom dashboard to expose information about the certs in your cluster.
cert-exporter exports the following metrics
# HELP cert_exporter_error_total Cert Exporter Errors
# TYPE cert_exporter_error_total counter
cert_exporter_error_total 0
# HELP cert_exporter_cert_expires_in_seconds Number of seconds til the cert expires.
# TYPE cert_exporter_cert_expires_in_seconds gauge
cert_exporter_cert_expires_in_seconds{filename="certsSibling/client.crt",issuer="root",nodename="master0"} 8.639964560021e+06
# HELP cert_exporter_kubeconfig_expires_in_seconds Number of seconds til the cert in kubeconfig expires.
# TYPE cert_exporter_kubeconfig_expires_in_seconds gauge
cert_exporter_kubeconfig_expires_in_seconds{filename="kubeConfigSibling/kubeconfig",name="cluster1",nodename="master0",type="cluster"} 8.639964559682e+06
cert_exporter_kubeconfig_expires_in_seconds{filename="kubeConfigSibling/kubeconfig",name="user1",nodename="master0",type="user"} 8.639964559249e+06
# HELP cert_exporter_secret_expires_in_seconds Number of seconds til the cert in the secret expires.
# TYPE cert_exporter_secret_expires_in_seconds gauge
cert_exporter_secret_expires_in_seconds{cn="example.com",issuer="example.com",key_name="ca.crt",secret_name="selfsigned-cert-tls",secret_namespace="cert-manager-test"} 8.6396867095666e+06
cert_exporter_secret_expires_in_seconds{cn="example.com",issuer="example.com",key_name="tls.crt",secret_name="selfsigned-cert-tls",secret_namespace="cert-manager-test"} 8.639686709417423e+06
# HELP certrequest_expires_in_seconds Number of seconds til the cert in the CertificateRequest expires.
# TYPE certrequest_expires_in_seconds gauge
cert_exporter_certrequest_expires_in_seconds{cert_request="example-crt-gn762",certrequest_namespace="cert-manager-test",cn="example.com",issuer="example.com"}
# HELP certrequest_not_after_timestamp Timestamp when the cert in the CertificateRequest expires.
# TYPE certrequest_not_after_timestamp gauge
cert_exporter_certrequest_not_after_timestamp{cert_request="example-crt-gn762",certrequest_namespace="cert-manager-test",cn="example.com",issuer="example.com"}
cert_exporter_error_total
The total number of unexpected errors encountered by cert-exporter. A good metric to watch to feel comfortable certs are being exported properly.
cert_exporter_cert_expires_in_seconds
The number of seconds until a certificate stored in the PEM format is expired. The filename
, issuer
, cn
, and nodename
label indicates the exported cert.
cert_exporter_kubeconfig_expires_in_seconds
The number of seconds until a certificate stored in a kubeconfig expires. The filename
, type
, name
, and nodename
labels indicate the kubeconfig, cluster or user node and name of the node. See details here.
cert_exporter_secret_expires_in_seconds
The number of seconds until a certificate stored in a kubernetes secret expires. The key_name
, issuer
, cn
, secret_name
, and secret_namespace
labels indicate the secret key, name and namespace.
cert_exporter_certrequest_expires_in_seconds
The number of seconds until a certificate stored in a cert-manager CertificateRequest expires. The cert_request
, issuer
, cn
, and certrequest_namespace
labels indicate the CertificateRequest, comon name and namespace.
cert_exporter_certrequest_not_after_timestamp
The timestamp when a certificate stored in a cert-manager CertificateRequest expires. The cert_request
, issuer
, cn
, and certrequest_namespace
labels indicate the CertificateRequest, comon name and namespace.
- Testing
- An overview of the testing scripts and how to run them. It requires kind CLI.
- Deployment
- Information on how to deploy cert-exporter as well as examples for a kops cluster.
- Daemonset for Prometheus-operator
- How to deploy daemonset+service+servicemonitor+dashboard if you use prometheus-operator into the
monitoring
namespace
- How to deploy daemonset+service+servicemonitor+dashboard if you use prometheus-operator into the
cert-exporter's People
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.