search

joe-elliott / cert-exporter

A Prometheus exporter that publishes cert expirations on disk and in Kubernetes secrets
Apache License 2.0
316 stars 87 forks source link

Cert-exporter send metrics for CA instead of service. #83

Closed benzch closed 3 years ago

benzch commented 3 years ago

Hi, I configured cert-exporter to scrape tls.crt. The problem I am facing is cert_exporter_secret_expires_in_seconds metric in Grafana is is always 3.5~ years to all secrets. After some investigation I found that tls.crt contains both service pem and CA pem. My guess is since CA pem is the last certificate, cert-exporter take the metric from it instead of the service pem. Any idea how to fix this?

joe-elliott commented 3 years ago

This is the code that parses all certs in a file:

https://github.com/joe-elliott/cert-exporter/blob/bd88841753d6bbb28d11e1f83c87c4c6d078b878/src/exporters/certHelpers.go#L38

and this is the code that publishes the metric:

https://github.com/joe-elliott/cert-exporter/blob/bd88841753d6bbb28d11e1f83c87c4c6d078b878/src/exporters/certHelpers.go#L38

If the Issuer and CN match I suppose it would overwrite and the last cert would "win". Is that what is happening in your case? Is there another label field we could add that would differentiate the metrics?

benzch commented 3 years ago

@joe-elliott My filter in Grafana was wrong. Closing the issue, thanks!