Is there a way to monitor tls certificates in kubernetes using prometheus?

Question

I want to monitor my tls certificates in Kubernetes using Prometheus and get a dashboard in grafana. I want to monitor their expiry and would want to get an alert when the certificates are going to be expired in 30 days. I did a lot of research and I finally found https://github.com/enix/x509-exporter. How do I use it? Is there any other efficient way to monitor the expiry of the certificates?

Answer 1

DISCLAIMER: I haven't tried this x509-exporter. Just giving suggestion as per my understanding.

The README file seems bit off. The first thing you need to do is create a github issue, no worries I raised one here.

I am listing down steps as per my understanding and referring the usage section.

• Use their official docker image and deploy it as a deployment on k8s.
• Check sample k8s yaml files for creating deployment. Also note that the deployment yaml should mount a host directory where all the k8s certificates are stored.
• As per documentation, usually the certificates are located at /etc/kubernetes/pki.
• The deployment yaml should contain a command where you point the exporter to the directory where certificates are located with other necessary options. Like this

command: ["x509-exporter"]
args: ["-d", "/etc/kubernetes/pki", "-p", "8091", "--debug"]

Note: Here I am running exporter in debug mode on port 8091, remember to expose this port.

• In prometheus config, add the x509-exporter endpoint as target to scrape the metrics and plot those by creating graphs in Grafana dashboard.