search

scality / metalk8s

An opinionated Kubernetes distribution with a focus on long-term on-prem deployments
Apache License 2.0
361 stars 45 forks source link

Certificates Monitoring #2921

Open thomasdanan opened 3 years ago

thomasdanan commented 3 years ago

Component:

'certificates', 'salt', 'deployment', 'grafana'

Why this is needed:

During installation, we are deploying several certificates that are used to secure communication between Kubernetes services. Those certificates have a defined validity period of 1 or 10 years and thanks to https://github.com/scality/metalk8s/pull/2914 they should be automatically rotated once they are near the expiration date. However, this mechanism may fail for whatever reason and doesn't apply to all certificates. As such, it is important to have some monitoring/alerting to notify the administrator when some certificates need rotation.

What should be done:

We could integrate existing cert exporter and associated Grafana dashboard: https://github.com/joe-elliott/cert-exporter. When a certificate expiration date is close (30 or 90 days depending on the certificate), an alert should be fired.

Implementation proposal (strongly recommended):

Test plan:

NicolasT commented 3 years ago

That cert-exporter looks super useful, great find!