Need help with cert-exporter?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

joe-elliott
122 Stars 30 Forks Apache License 2.0 254 Commits 6 Opened issues

Description

A Prometheus exporter that publishes cert expirations on disk and in Kubernetes secrets

Services available

!
?

Need anything else?

Contributors list

# 22,433
Go
opentra...
prometh...
HTML
52 commits
# 103,529
Go
Rust
spotify
daemon
22 commits
# 43,678
flash
arp
Erlang
gRPC
14 commits
# 571,924
Clojure
Shell
Erlang
cookboo...
7 commits
# 139,419
Ruby
puppet
C++
sensu
2 commits
# 4,147
prometh...
kafka
Python
golang
2 commits
# 491,937
node
HTML
Natural...
Go
1 commit
# 174,109
bittorr...
PHP
C
rutorre...
1 commit
# 423,970
multili...
hugo
hugo-th...
Go
1 commit

cert-exporter

Go Report Card version

Kubernetes uses PKI certificates for authentication between all major components. These certs are critical for the operation of your cluster but are often opaque to an administrator. This application is designed to parse certificates and export expiration information for Prometheus to scrape.

WARNING If you run this application in your cluster it will probably require elevated privileges of some kind. Additionally you are exposing VERY sensitive information to it. Review the source!

Usage

cert-exporter can publish metrics about

  • x509 certificates on disk encoded in the PEM format
  • Certs embedded or referenced from kubeconfig files.
  • Certs stored in Kubernetes secrets. This supports applications such as cert-manager.

See deployment for detailed information on running cert-exporter and examples of running it in a kops cluster.

See custom-secrets for examples of how to run

cert-exporter
to scrape certificates in secrets managed by you (not cert-manager).

To enable and scrape certificates from AWS secrets, do the following:

go run main.go --aws-account= --aws-region= --aws-secret= [--aws-secret=]
Of course, AWS credentials must be configured. See https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html

Dashboard

After running cert-exporter in your cluster it's easy to build a custom dashboard to expose information about the certs in your cluster.

cert-exporter dashboard

Exported Metrics

cert-exporter exports the following metrics

# HELP cert_exporter_error_total Cert Exporter Errors
# TYPE cert_exporter_error_total counter
cert_exporter_error_total 0
# HELP cert_exporter_cert_expires_in_seconds Number of seconds til the cert expires.
# TYPE cert_exporter_cert_expires_in_seconds gauge
cert_exporter_cert_expires_in_seconds{filename="certsSibling/client.crt",issuer="root",nodename="master0"} 8.639964560021e+06
# HELP cert_exporter_kubeconfig_expires_in_seconds Number of seconds til the cert in kubeconfig expires.
# TYPE cert_exporter_kubeconfig_expires_in_seconds gauge
cert_exporter_kubeconfig_expires_in_seconds{filename="kubeConfigSibling/kubeconfig",name="cluster1",nodename="master0",type="cluster"} 8.639964559682e+06
cert_exporter_kubeconfig_expires_in_seconds{filename="kubeConfigSibling/kubeconfig",name="user1",nodename="master0",type="user"} 8.639964559249e+06
# HELP cert_exporter_secret_expires_in_seconds Number of seconds til the cert in the secret expires.
# TYPE cert_exporter_secret_expires_in_seconds gauge
cert_exporter_secret_expires_in_seconds{cn="example.com",issuer="example.com",key_name="ca.crt",secret_name="selfsigned-cert-tls",secret_namespace="cert-manager-test"} 8.6396867095666e+06
cert_exporter_secret_expires_in_seconds{cn="example.com",issuer="example.com",key_name="tls.crt",secret_name="selfsigned-cert-tls",secret_namespace="cert-manager-test"} 8.639686709417423e+06

certexportererror_total
The total number of unexpected errors encountered by cert-exporter. A good metric to watch to feel comfortable certs are being exported properly.

certexportercertexpiresin_seconds
The number of seconds until a certificate stored in the PEM format is expired. The

filename
,
issuer
,
cn
, and
nodename
label indicates the exported cert.

certexporterkubeconfigexpiresin_seconds
The number of seconds until a certificate stored in a kubeconfig expires. The

filename
,
type
,
name
, and
nodename
labels indicate the kubeconfig, cluster or user node and name of the node. See details here.

certexportersecretexpiresin_seconds The number of seconds until a certificate stored in a kubernetes secret expires. The

key_name
,
issuer
,
cn
,
secret_name
, and
secret_namespace
labels indicate the secret key, name and namespace.

Other Docs

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.