Add cert-exporter helm chart

joe-elliott / cert-exporter

A Prometheus exporter that publishes cert expirations on disk and in Kubernetes secrets

Apache License 2.0

317 stars 87 forks source link

Add cert-exporter helm chart #48

Closed dan-vaughan closed 3 years ago

dan-vaughan commented 4 years ago

Hi,

My company uses Helm to manage our installed applications, and I noticed a Helm chart was missing for this project. I've created a fairly basic one that assumes Prometheus-Operator is already installed. It also only creates a Deployment for monitoring cert-manager right now, but I may add Daemonsets in future.

Would you rather that this be its own project? And if not, would you object to me adding a GitHub action to release the chart?

If you approve adding a Helm chart in principle, I may add some more commits once I've tested this more thoroughly.

Thanks!

Changelog:

Add cert-manager monitoring deployment
- Add Deployment
- Add Service
- Add ServiceMonitor
Add dashboard ConfigMap
Add RBAC objects and ServiceAccount
Add values.yaml with some basic documentation

joe-elliott commented 4 years ago

Definitely not opposed to this. Thank you for contributing it.

And if not, would you object to me adding a GitHub action to release the chart?

Not at all. Honestly I'll probably wait till we do this then pull the chart and deploy it to a local cluster to test.

If you approve adding a Helm chart in principle, I may add some more commits once I've tested this more thoroughly.

After you're confident it's in a good spot, let's get the github action in and then I'll merge and do some local testing against the built chart.

dan-vaughan commented 3 years ago

I've fixed up the Helm chart, and I've been testing it.

I'm now getting a "Error exporting secret Failed to parse as a pem" for all of the secrets I have that are generated by cert-manager. They're all formatted in base64, and I've confirmed that they're valid. Is it possible that the exporter is failing to decode them from base64?

I'm using the recommended flags for cert-manager exporting:

- --secrets-annotation-selector=cert-manager.io/certificate-name
- --secrets-include-glob=*.crt
- --logtostderr

joe-elliott commented 3 years ago

cert-exporter does attempt to parse the bytes directly as a pem file.

https://github.com/joe-elliott/cert-exporter/blob/master/src/checkers/periodicSecretChecker.go#L139

However, all k8s secrets are base64 encoded. I would presume that the "bytes" here have already been decoded. Were you ever able to parse your cert-manager secrets? If this changed recently did you make any changes to cert-manager such as upgrade its version?

dan-vaughan commented 3 years ago

I just parsed them just now, after decoding from base64. From my reading of the code it appears that bytes may or may not be decoded from Base64 depending on which function is assigned to p.exporter.ExportMetrics.

joe-elliott commented 3 years ago

Right, I mean, have you ever run cert-exporter successfully against cert-manager generated secrets?
Other things that would be useful:

version of cert-manager
output of kubectl describe secret <secret-that-wont-parse>

dan-vaughan commented 3 years ago

I can confirm that this was an issue with our version of cert-manager: I've tested it on a much newer version we're about to upgrade to, and it works fine. I should have this MR complete shortly.

dan-vaughan commented 3 years ago

I'll add the GitHub action to release the chart tomorrow.

dan-vaughan commented 3 years ago

This is done from my end. Please let me know if there are any tweaks that need to be made to the Helm or release action. You'll need to create a gh-pages branch to allow for the hosting of the Helm artifacts.