Closed xgreif closed 1 year ago
amimof
commented
1 year ago Hi @xgreif thanks for the feedback. I'll definitely put this in my backlog and start working on it as soon as I have time. You are welcome to open a PR if you want to implement it yourself
triantium
commented
1 year ago You can already do that, if you make a namespace specific deployment and mount the secrets as volumes.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-cert-exporter
automountServiceAccountToken: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: node-cert-exporter
name: node-cert-exporter
spec:
selector:
matchLabels:
app: node-cert-exporter
template:
metadata:
name: node-cert-exporter
labels:
app: node-cert-exporter
spec:
containers:
- image: 'ghcr.io/amimof/node-cert-exporter:latest'
args:
- "--v=2"
- "--logtostderr=true"
- "--path=/opt/certs/"
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
name: node-cert-exporter
ports:
- containerPort: 9117
name: http
protocol: TCP
resources:
limits:
cpu: 50m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: mtls-kafka-cert-2
mountPath: /opt/certs/mtls/kafka/cert-2
- name: mtls-kafka-cert-1
mountPath: /opt/certs/mtls/kafka/cert-1
serviceAccount: node-cert-exporter
serviceAccountName: node-cert-exporter
volumes:
- name: mtls-kafka-cert-2
secret:
secretName: mtls-cert-2
optional: false
- name: mtls-kafka-cert-1
secret:
secretName: mtls-cert-1
optional: false
xgreif
commented
1 year ago Thanks @triantium, your suggestion works! The guys in the team decided to expose just the .crt part of the secret, due to security concerns, and we added a subPath config to get it right. Thanks a bunch!
Is it possible to have this parse the certificates stored inside kubernetes secrets, similar to what https://github.com/lmolas/kubectl-view-cert does? We'd like to get alerts close to the certificates expiration date. Thanks for the great work!