gruyaume
commented
2 months ago (This is the same answer as on this issue)
Hello @aieri , thank you for proposing this enhancement.
I understand the need for getting metrics related to certificate status.
Self Signed Certificates is a workload-less charm, meaning that there is not web service continuously running that could expose a /metrics endpoint that Prometheus could scrape. This is a known limitation of this charm unfortunately.
In parallel, we are working on a new software we call GoCert as well as a Kubernetes charm for it. In the medium term, it will be used to provide certificates obtained in a manual way and replce Manual TLS certificates. In the longer run, it has the capability to also replace self-signed certificates and other TLS providers.
Enhancement Proposal
As a centralized charm for managing certificates, I think manual-tls-certificates should also provide observability over the lifetime of the certificates it provides. This could for example be a metric indicating the time left until expiration, plus an alert rule firing 30 days prior to it.
As an MSP, a (legacy) equivalent setup - part of openstack-service-checks - has been crucial for us in order to get the ball rolling in time for certificate renewals in Charmed OpenStack clouds. As modern environments rely on charms like this one for managing certificates, it is important to be able to provide similar functionality (but integrated with COS).