search

joe-elliott / cert-exporter

A Prometheus exporter that publishes cert expirations on disk and in Kubernetes secrets
Apache License 2.0
316 stars 87 forks source link

How to get the cert details of ETCD node #78

Open Ashikash13 opened 3 years ago

Ashikash13 commented 3 years ago

Hi , Hope you are doing great

I have implemented cert-exporter by following the below document https://github.com/joe-elliott/cert-exporter/blob/master/docs/kops-masters.yaml

Problem I am facing : I am using Legacy Kubernetes which is setup on ec2 instance not EKS , I have deployed above daemonset which is running on master and my master certs are located at /etc/kubernetes/pki changing the argument in the DS, it started capturing the master certs

Now the issue is how to monitor ETCD cert where the certificates will be located in my etcd node at /etc/kubernetes/pki/etcd , Etcd certs will be only in etcd node for legacy kubernetes we can not find it in master node

joe-elliott commented 3 years ago

You can pass multiple --include-cert-glob arguments. Can you just add the second path etcd path?

Does this not meet your needs?

Ashikash13 commented 3 years ago

Thanks for Replying , I already tried it it doesn't work that way either.

Let me brief you here I have logged in the pod now /etc/kubernetes/pki path looks like this

/etc/kubernetes/pki # pwd /etc/kubernetes/pki /etc/kubernetes/pki # ls apiserver-etcd-client.crt apiserver.crt ca.key front-proxy-ca.key sa.key apiserver-etcd-client.key apiserver.key etcd front-proxy-client.crt sa.pub apiserver-kubelet-client.crt audit-policy.yaml etcd-encryption-config.yaml front-proxy-client.key apiserver-kubelet-client.key ca.crt front-proxy-ca.crt kube-proxy.token

Note : These are master certificates and it works fine it captures the certificates and I can see it in NR dashboard with NRI-Prometheus integrated with it

ETCD : Path /etc/kubernetes/pki/etcd Pod Output : /etc/kubernetes/pki/etcd # ls ca.crt

In my kubernetes setup ie legacy setup under the above path we can not find ETCD certs under master node those certificate will be available only in ETCD node so is there a way to capture it ?

joe-elliott commented 3 years ago

It's been many years since I ran a kops based k8s cluster, but if I recall the certs in /etc/kubernetes/pki/etcd in the pod were mounted from a dir on the host node. This isn't true?

Ashikash13 commented 3 years ago

Yes true