Name: kube-cert-checker
Owner: Pantheon
Description: Check for expiring TLS certificates stored in Kubernetes Secrets Volumes and alert to Sensu
Created: 2016-04-24 17:49:32.0
Updated: 2018-04-30 22:29:59.0
Pushed: 2018-04-30 22:29:58.0
Homepage: null
Size: 373
Language: Makefile
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
Kubernetes service that watches and alerts on expiring TLS certificates stored in kubernetes secrets volumes.
Run this service in the kube-system
namespace. It will periodically scan
through all secret volumes (in all namespaces) looking for secrets that appear
to be TLS certificates and check their expiration dates. If any certificates
are found to be expiring soon (configurable) an alert will be opened in Sensu.
Any secret whose key name ends in .crt
or .pem
is assumed to be a TLS cert.
NOTE: Only PEM-encoded certs are supported at this time.
Run with -h
flag to see available command line flags, most of which can also
be set via environment variables.
I recommend setting the --sensu-source
variable to the name of the cluster.
This will appear like the host where the alert originated from in Sensu.
TLS client authentication is supported with -tls-{key,crt,ca}
flags, if your
sensu-api server requires TLS auth.
Open a local proxy to a remote Kubernetes cluster API and run the check
locally with the --once
option:
bectl proxy &
ting to serve on 127.0.0.1:8001
kube-cert-checker --once --url http://127.0.0.1:8001 --verbose
/04/27 16:56:26 Using kubernetes API URL: http://127.0.0.1:8001
/04/27 16:56:27 OK: default/default-token-aaxbv/ca.crt expires in 1811.86 days
/04/27 16:56:27 OK: development/default-token-pruz4/ca.crt expires in 1811.86 days
/04/27 16:56:27 OK: testing/notification-service-certs/ns.pem expires in 359.07 days
/04/27 16:56:27 OK: production/notification-service-certs/ns.pem expires in 359.07 days
The path to certificates in the output is represented as <namespace>/<secret-volume>/<secret-name>
The intended use is to run persistently inside a Kubernetes' clusters
kube-system
namespace, with errors reported to your Sensu API. You will need
Sensu >= 0.21.0 to POST to the /results
API.
See the deploy.yml.example
file for an example deployment descriptor.
To update the kube-cert-checker-certs
secret volumes:
make create-prod-tls-key
. This will create certs in devops/k8s/secrets/kube-system/certs
directoryupdate-secrets
task: update-secrets KUBE_NAMESPACE=kube-system KUBE_CONTEXT=gke_pantheon-dev_us-central1-b_sandbox-01
ctl delete -lapp=kube-cert-checker -n kube-system --context gke_pantheon-dev_us-central1-b_sandbox-01
Run make
or make help
for a list of Makefile tasks and descriptions.
make test
make build_linux
or make build_osx
make build_docker
make cov_html