Cert Check Controller check secret(type: TLS)'s cert expiration. ref: https://speakerdeck.com/masayaaoyama/srett1-k8s-amsy810
Creating following resources, cert check controller can treat TLS certs expiration and make more user friendly.
- sample CertCheck resource
apiVersion: sre.amsy810.dev/v1beta1
kind: CertCheck
metadata:
name: certcheck-sample
spec:
threshold: 7
selector:
matchLabels:
certcheck-group: sample
- sample TLS Secret
apiVersion: v1
kind: Secret
metadata:
name: tls-sample
labels:
certcheck-group: sample
type: kubernetes.io/tls
data:
tls.crt: ...
tls.key: ...
use kustomization.
git clone https://github.com/MasayaAoyama/cert-check-controller.git
cd cert-check-controller
kustomize build . | kubectl apply -f -
Record cert infomation for only tls type secret.
$ kubectl get secret tls-sample -oyaml | k neat
apiVersion: v1
data:
tls.crt: ...
tls.key: ...
kind: Secret
metadata:
annotations:
certcheck.amsy.dev/notAfter: 2030-03-30 04:42:09 +0000 UTC
certcheck.amsy.dev/notBefore: 2020-04-01 04:42:09 +0000 UTC
labels:
certcheck-group: sample
certcheck.amsy.dev/active: "true"
name: tls-sample
namespace: default
type: kubernetes.io/tls
apiVersion: sre.amsy810.dev/v1beta1
kind: CertCheck
metadata: {...}
spec: {...}
status:
certificates:
- active: true
notAfter: "2030-03-30T04:42:09Z"
notBefore: "2020-04-01T04:42:09Z"
targetCertsCount: tls-sample
targetCertsCount: 1
Event (WillBeExpired / Expired) will be generated by controller. You can also integrate event-recorder(https://github.com/opsgenie/kubernetes-event-exporter).
$ kubectl get event
LAST SEEN TYPE REASON OBJECT MESSAGE
27m Warning WillBeExpired secret/tls-sample TLS Secret default/tls-sample will be expired at 2030-03-30 04:42:09 +0000 UTC
2m32s Warning WillBeExpired secret/tls-sample TLS Secret default/tls-sample will be expired at 2030-03-30 04:42:09 +0000 UTC
certcheck controller expose custom metrics for prometheus.