# cert-exporter **Repository Path**: ssoc/cert-exporter ## Basic Information - **Project Name**: cert-exporter - **Description**: 证书监控exporter, fork https://github.com/amimof/node-cert-exporter - **Primary Language**: Go - **License**: MulanPSL-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 3 - **Created**: 2023-11-06 - **Last Updated**: 2023-11-06 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README #### 证书监控工具 node-cert-exporter > [https://github.com/amimof/node-cert-exporter](https://github.com/amimof/node-cert-exporter) cert-exporter 用于x509证书的prometheus监控exporter。用于解析证书和生成证书过期时间的prometheus 指标 `ssl_certificate_expiry_seconds` 。 ​ 用法: ```shell # cert-exporter --path=指定证书目录,可以指定多个目录用逗号隔开 cert-exporter --path=/etc/kubernetes/ssl/,/etc/kubernetes/pki/ ``` 生成的指标: | metrics | 值(单位秒) | | --- | --- | | ssl_certificate_expiry_seconds{alg="SHA256-RSA",controller_revision_hash="5cfdb89c8",hostname="k8s.master.1",instance="x.x.x.x:9117",issuer="CN=kubernetes",job="k8s-pods",k8s_app="k8s-cert-exporter",namespace="monitoring",nodename="k8s.master.1",path="/host/etc/kubernetes/pki/ca.crt",pod="k8s-cert-exporter-2vq5d",pod_template_generation="1",subject="CN=kubernetes",version="3"} | 244188860.83742842 | ​ ​ #### k8s证书监控 k8s证书在每台k8s master的 /etc/kubernetes/pki 目录下。只要在每台master启一个cert-exporter监控进程,监控 /etc/kubernetes/pki 目录下*.pem、*.crt 的证书文件。 ​ 在k8s部署一个cert-monitor的daemonset的并指定nodeselector:`cert-monitor: "true"` , 这样 只要在需要监控的node打上 `cert-monitor="true"`的标签就会自动安装cert-exporter。 cert-monitor-daemonset.yaml ```yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: k8s-cert-exporter namespace: monitoring labels: k8s-app: k8s-cert-exporter spec: selector: matchLabels: k8s-app: k8s-cert-exporter template: metadata: labels: k8s-app: k8s-cert-exporter annotations: prometheus.io/scrape: 'true' prometheus.io/port: '9117' spec: tolerations: - operator: Exists effect: NoSchedule nodeSelector: cert-monitor: "true" terminationGracePeriodSeconds: 30 hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - name: k8s-cert-exporter image: registry.xxxx.io/prometheus/cert_exporter:v1.0 args: - "--v=2" - "--logtostderr=true" - "--path=/host/etc/kubernetes/ssl/,/host/etc/kubernetes/pki/" imagePullPolicy: IfNotPresent env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName resources: limits: cpu: 250m memory: 256Mi requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /host/etc name: etc readOnly: true volumes: - name: etc hostPath: path: /etc type: "" ``` 在需要监控的节点打上label: ```shell # kx kubectl label node k8s.master.1 cert-monitor="true" kubectl label node k8s.master.2 cert-monitor="true" kubectl label node k8s.master.3 cert-monitor="true" ``` #### grafana dashboard ![输入图片说明](picture/image.png) [k8s-node-cert-dashboard.json](https://www.yuque.com/attachments/yuque/0/2021/json/1631699/1638177401479-75ba1115-4a96-4dd5-bf69-643f219583ad.json?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2021%2Fjson%2F1631699%2F1638177401479-75ba1115-4a96-4dd5-bf69-643f219583ad.json%22%2C%22name%22%3A%22k8s-node-cert-dashboard.json%22%2C%22size%22%3A5455%2C%22type%22%3A%22application%2Fjson%22%2C%22ext%22%3A%22json%22%2C%22status%22%3A%22done%22%2C%22taskId%22%3A%22u772b20e7-5db7-4a2f-8e86-96d5a91fb46%22%2C%22taskType%22%3A%22upload%22%2C%22id%22%3A%22u9dffbed9%22%2C%22card%22%3A%22file%22%7D) #### 告警 ```yaml apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: namespace: monitoring name: k8s-certs-rule labels: role: k8s-certs-rule spec: groups: - name: k8sCertExpiringSoon rules: - alert: k8s集群证书过期不到1年了 expr: ssl_certificate_expiry_seconds/86400 < 365 for: 3m labels: # 普通告警 severity: warning annotations: message: '节点{{$labels.hostname}}的{{$labels.path}}证书还有 {{ $value }} 天过期 .' - alert: k8s集群证书过期不到半年了 expr: ssl_certificate_expiry_seconds/86400 < 182 for: 3m labels: # 重要告警 severity: critical annotations: message: '节点{{$labels.hostname}}的{{$labels.path}}证书还有 {{ $value }} 天过期 .' ```