verify-k8s-certs is a daemon (prometheus exporter) to discover expired TLS certificates in a kubernetes cluster. It exposes the informations as Prometheus metrics that can be scraped.
Build the daemon:
go build -o verify-k8s-certsBuild the docker image:
docker build -t verify-k8s-certs .- Be sure to run the daemon as a kubernetes deployment, you should also expose it as a service so Prometheus can scrape the metrics from its endpoints.
- The deployment needs permission to list all the namespaces and all the services of the cluster so be sure to use a serviceaccount with these privileges otherwise it will not work!
- When the deployment is successfully deployed on the cluster and runs with no errors then you should add to the scrape_config section of your Prometheus instance a new job to instruct it to scrape the metrics.
The exposed Prometheus metrics are the following ones (at the endpoint /metrics):
- (gauge) tls_verifier_seconds_to_expiration_tls_certificate: how many seconds are left to the expiration of the certificate for the services
- (gauge) tls_verifier_discovered_tls_certificates_of_services: how many TLS certificates have been discovered in the exposed services of the cluster
- (counter) tls_verifier_heartbeat: just a counter that keeps increasing, it can be used to detect if the daemon is healthy or not
Angelo Poerio angelo.poerio@gmail.com