search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
525 stars 99 forks source link

Why can only the ca certificate be detected, can other certificates also be detected? #72

Closed jicki closed 2 years ago

jicki commented 3 years ago

Why can only the ca certificate be detected, can other certificates also be detected?

ribbybibby commented 3 years ago

I don't understand the question. Can you give me an example of what you're doing and what you're getting back from the exporter?

jicki commented 3 years ago

sorry my english so bad 

- job_name: ssl-kubernetes
  metrics_path: /probe
  params:
    module: ["file"]
    target: ["/etc/kubernetes/**/*.crt"]
  kubernetes_sd_configs:
    - role: node
  relabel_configs:
    - source_labels: [__address__]
      regex: ^(.*):(.*)$
      target_label: __address__
      replacement: prometheus-ssl-exporter:9219

prometheus --- ssl_file_cert_not_after :

I only got ca.crt I want to get other certificates such as apiserver.crt proxy-client.crt kubelet-client.crt 

ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="master01.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="master02.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="master03.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node01.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node02.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node03.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node04.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node05.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node06.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node07.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
jicki commented 3 years ago

help me

ribbybibby commented 3 years ago

Are apiserver.crt, proxy-client.crt and kubelet-client.crt located under /etc/kubernetes? Do those files actually exist? Are they readable by the exporter?

Are there any errors in the ssl_exporter logs?

jicki commented 3 years ago

Are apiserver.crt, proxy-client.crt and kubelet-client.crt located under /etc/kubernetes? Do those files actually exist? Are they readable by the exporter?

Are there any errors in the ssl_exporter logs?

yes apiserver.crt, proxy-client.crt and kubelet-client.crt located to /etc/kubernetes/ssl/

but only to Master node

ls -lt /etc/kubernetes/ssl/*.crt

-rw-r--r-- 1 root root 1879 Dec  2  2020 /etc/kubernetes/ssl/apiserver.crt
-rw-r--r-- 1 root root 1058 Dec  1  2020 /etc/kubernetes/ssl/front-proxy-client.crt
-rw-r--r-- 1 root root 1038 Dec  1  2020 /etc/kubernetes/ssl/front-proxy-ca.crt
-rw-r--r-- 1 root root 1099 Dec  1  2020 /etc/kubernetes/ssl/apiserver-kubelet-client.crt
-rw-r--r-- 1 root root 1025 Dec  1  2020 /etc/kubernetes/ssl/ca.crt
volumes:
   hostpath: 
       path: /etc/kubernetes/ssl

ssl_exporter logs not errors 

time="2021-06-21T08:48:59Z" level=info msg="Starting ssl_exporter (version=2.2.0, branch=tags/v2.2.0, revision=5d3ac12e65adb103fe839ecd482fad7dce50cf26)" source="ssl_exporter.go:130"
time="2021-06-21T08:48:59Z" level=info msg="Build context (go=go1.15.6, user=root@95e5d8c3be18, date=20201207-21:37:46)" source="ssl_exporter.go:131"
time="2021-06-21T08:48:59Z" level=info msg="Listening on :9219" source="ssl_exporter.go:148"
ribbybibby commented 3 years ago

It might be to do with your scrape config, specifically this relabel:

  relabel_configs:
    - source_labels: [__address__]
      regex: ^(.*):(.*)$
      target_label: __address__
      replacement: prometheus-ssl-exporter:9219

This is going to be replacing the address you get from the kubernetes sd discovery (i.e master01.development-uat-k8s) with what I assume is a kubernetes service prometheus-ssl-exporter. So for every single node, you're going to the same ssl-exporter, which is presumably running on a non-master node, hence why you only get the ca.crt.

Try this relabel_config instead:

    relabel_configs:
      - source_labels: [__address__]
        regex: ^(.*):(.*)$
        target_label: __address__
        replacement: ${1}:9219

Note: ssl_exporter should be running as a Daemonset on every node.

ribbybibby commented 3 years ago

Did you manage to resolve your issues?