CD2H gitForager

pantheon-systems/kube-cert-checker

Name: kube-cert-checker

Owner: Pantheon

Description: Check for expiring TLS certificates stored in Kubernetes Secrets Volumes and alert to Sensu

Created: 2016-04-24 17:49:32.0

Updated: 2018-04-30 22:29:59.0

Pushed: 2018-04-30 22:29:58.0

Homepage: null

Size: 373

Language: Makefile

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

kube-cert-checker

Kubernetes service that watches and alerts on expiring TLS certificates stored in kubernetes secrets volumes.

Run this service in the kube-system namespace. It will periodically scan through all secret volumes (in all namespaces) looking for secrets that appear to be TLS certificates and check their expiration dates. If any certificates are found to be expiring soon (configurable) an alert will be opened in Sensu.

Any secret whose key name ends in .crt or .pem is assumed to be a TLS cert.

NOTE: Only PEM-encoded certs are supported at this time.

Usage

Run with -h flag to see available command line flags, most of which can also be set via environment variables.

I recommend setting the --sensu-source variable to the name of the cluster. This will appear like the host where the alert originated from in Sensu.

TLS client authentication is supported with -tls-{key,crt,ca} flags, if your sensu-api server requires TLS auth.

Run once

Open a local proxy to a remote Kubernetes cluster API and run the check locally with the --once option:

bectl proxy &
ting to serve on 127.0.0.1:8001

kube-cert-checker --once --url http://127.0.0.1:8001 --verbose
/04/27 16:56:26 Using kubernetes API URL: http://127.0.0.1:8001
/04/27 16:56:27 OK: default/default-token-aaxbv/ca.crt expires in 1811.86 days
/04/27 16:56:27 OK: development/default-token-pruz4/ca.crt expires in 1811.86 days
/04/27 16:56:27 OK: testing/notification-service-certs/ns.pem expires in 359.07 days
/04/27 16:56:27 OK: production/notification-service-certs/ns.pem expires in 359.07 days

The path to certificates in the output is represented as <namespace>/<secret-volume>/<secret-name>

Run as a Kubernetes service

The intended use is to run persistently inside a Kubernetes' clusters kube-system namespace, with errors reported to your Sensu API. You will need Sensu >= 0.21.0 to POST to the /results API.

See the deploy.yml.example file for an example deployment descriptor.

updating mTLS certificates

To update the kube-cert-checker-certs secret volumes:

Run make create-prod-tls-key. This will create certs in devops/k8s/secrets/kube-system/certs directory

For each cluster where kube-cert-checker is running, run the update-secrets task:

 update-secrets KUBE_NAMESPACE=kube-system KUBE_CONTEXT=gke_pantheon-dev_us-central1-b_sandbox-01
ctl delete -lapp=kube-cert-checker -n kube-system --context gke_pantheon-dev_us-central1-b_sandbox-01

Dev / Test

Run make or make help for a list of Makefile tasks and descriptions.

Common tasks:

Run tests: make test
Build binary: make build_linux or make build_osx
Build docker container: make build_docker
Generate test coverage and open results in browser: make cov_html

TODOs

[ ] convert all tasks to use common-make

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.