About
verify-k8s-certs is a daemon (prometheus exporter) to discover expired TLS certificates in a kubernetes cluster. It exposes the informations
as Prometheus metrics that can be scraped.
Build & dockerize
Build the daemon:
go build -o verify-k8s-certs
Build the docker image:
docker build -t verify-k8s-certs .
How to run
- Be sure to run the daemon as a kubernetes deployment, you should also expose it as a service so Prometheus can
scrape the metrics from its endpoints.
- The deployment needs permission to list all the namespaces and all the services of the cluster
so be sure to use a serviceaccount with these privileges otherwise it will not work!
- When the deployment is successfully deployed on the cluster and runs with no errors then you should add to the scrape_config section of your Prometheus instance a new job
to instruct it to scrape the metrics.
Metrics
The exposed Prometheus metrics are the following ones (at the endpoint /metrics):
- (gauge) tls_verifier_seconds_to_expiration_tls_certificate: how many seconds are left to the expiration of the certificate for the services
- (gauge) tls_verifier_discovered_tls_certificates_of_services: how many TLS certificates have been discovered in the exposed services of the cluster
- (counter) tls_verifier_heartbeat: just a counter that keeps increasing, it can be used to detect if the daemon is healthy or not
Author
Angelo Poerio angelo.poerio@gmail.com