[Kubernetes (K8S)] Helm install x509-certificate-exporter to monitor Certificates expiration within Kubernetes (K8S)

x509-certificate-exporter

x509-certificate-exporter is a Prometheus exporter for certificates focusing on expiration monitoring, written in Go with cloud deployments in mind.

This article is about how to use Helm to install x509-certificate-exporter on Kubernetes (K8S).

Prerequisites

  • Kubernetes (K8S)
    Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications.

    For more information about installing and using Kubernetes (K8s), see the Kubernetes (K8s) Docs.

  • Helm
    Helm is the best way to find, share, and use software built for Kubernetes.

    1
    2
    # Mac OS X
    $ brew install helm

    For more information about installing and using Helm, see the Helm Docs.

Usages

values.yaml

Edit values.yaml and replace content within {{ }}.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# values.yaml

# helm-charts/values.yaml at master · enix/helm-charts
# https://github.com/enix/helm-charts/blob/master/charts/x509-certificate-exporter/values.yaml

# Without Prometheus CRDs(For example Loki Statck)
secretsExporter:
podAnnotations:
prometheus.io/port: "9793"
prometheus.io/scrape: "true"
service:
create: false
prometheusServiceMonitor:
create: false
prometheusRules:
create: false

# Monitor hostpath Certificates.
hostPathsExporter:
podAnnotations:
prometheus.io/port: "9793"
prometheus.io/scrape: "true"

# Example 1: Kubernetes and etcd
daemonSets:
cp:
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
watchFiles:
- /etc/kubernetes/pki/apiserver.crt
- /etc/kubernetes/pki/apiserver-etcd-client.crt
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/ca.crt
- /etc/kubernetes/pki/front-proxy-ca.crt
- /etc/kubernetes/pki/front-proxy-client.crt

- /etc/kubernetes/pki/etcd/ca.crt
- /etc/kubernetes/pki/etcd/healthcheck-client.crt
- /etc/kubernetes/pki/etcd/peer.crt
- /etc/kubernetes/pki/etcd/server.crt
watchKubeconfFiles:
- /etc/kubernetes/admin.conf
- /etc/kubernetes/controller-manager.conf
- /etc/kubernetes/scheduler.conf

nodes:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
watchFiles:
- /var/lib/kubelet/pki/kubelet-client-current.pem
- /etc/kubernetes/pki/ca.crt

# # Example 1: etcd is independent of Kubernetes
# daemonSets:
# cp:
# nodeSelector:
# node-role.kubernetes.io/master: ""
# tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/master
# operator: Exists
# watchFiles:
# - /var/lib/kubelet/pki/kubelet-client-current.pem

# - /etc/kubernetes/pki/apiserver.crt
# - /etc/kubernetes/pki/apiserver-kubelet-client.crt
# - /etc/kubernetes/pki/ca.crt
# - /etc/kubernetes/pki/front-proxy-ca.crt
# - /etc/kubernetes/pki/front-proxy-client.crt

# # etcd SSL
# - /etc/ssl/etcd/ssl/admin-s1.pem
# - /etc/ssl/etcd/ssl/admin-s2.pem
# - /etc/ssl/etcd/ssl/admin-s3.pem
# - /etc/ssl/etcd/ssl/ca.pem
# - /etc/ssl/etcd/ssl/member-s1.pem
# - /etc/ssl/etcd/ssl/member-s2.pem
# - /etc/ssl/etcd/ssl/member-s3.pem
# - /etc/ssl/etcd/ssl/node-s1.pem
# - /etc/ssl/etcd/ssl/node-s2.pem
# - /etc/ssl/etcd/ssl/node-s3.pem

# watchKubeconfFiles:
# - /etc/kubernetes/admin.conf
# - /etc/kubernetes/controller-manager.conf
# - /etc/kubernetes/scheduler.conf

# nodes:
# tolerations:
# - effect: NoSchedule
# key: node-role.kubernetes.io/master
# operator: Exists
# watchFiles:
# - /var/lib/kubelet/pki/kubelet-client-current.pem
# - /etc/kubernetes/pki/ca.crt

Install Release

Helm install x509-certificate-exporter into x509-certificate-exporter namespace.

1
2
3
4
5
6
7
8
9
10
11
# crate namespace:
$ kubectl create namespace x509-certificate-exporter

# Add the Stable Helm repository:
$ helm repo add enix https://charts.enix.io

# Update your local Helm chart repository cache:
$ helm repo update

# To install Helm chart:
$ helm install x509-certificate-exporter enix/x509-certificate-exporter -n x509-certificate-exporter -f values.yaml

See pods about x509-certificate-exporter.

1
2
3
4
5
6
$ kubectl get pods -n x509-certificate-exporter
NAME READY STATUS RESTARTS AGE
x509-certificate-exporter-5b56cb7cb-tj8rh 1/1 Running 0 16h
x509-certificate-exporter-cp-6std8 1/1 Running 0 15h
x509-certificate-exporter-cp-fc2xf 1/1 Running 0 15h
x509-certificate-exporter-cp-s6bgj 1/1 Running 0 15h

Import X509 Certificate Exporter Grafana Dashboard

See Certificates Expiration (X509 Certificate Exporter) dashboard for Grafana | Grafana Labs - https://grafana.com/grafana/dashboards/13922 to learn more.

Uninstall Release

Destroy release created by Helm.

1
$ helm uninstall x509-certificate-exporter -n x509-certificate-exporter

FAQs

Panel plugin not found: grafana-piechart-panel

First, enter into the Pod.

1
$ exec kubectl exec -i -t <grafana> -c grafana -- sh -c "clear; (bash || ash || sh)"

Use the new grafana-cli tool to install grafana-piechart-panel from the Pod commandline:

1
$ grafana-cli plugins install grafana-piechart-panel

Remember to restart Pod to make that plugin available.

See Pie Chart plugin for Grafana | Grafana Labs - https://grafana.com/grafana/plugins/grafana-piechart-panel/ to learn more.

References

[1] helm-charts/charts/x509-certificate-exporter at master · enix/helm-charts - https://github.com/enix/helm-charts/tree/master/charts/x509-certificate-exporter

[2] enix/x509-certificate-exporter: A Prometheus exporter to monitor x509 certificates expiration in Kubernetes clusters or standalone - https://github.com/enix/x509-certificate-exporter

[3] Certificates Expiration (X509 Certificate Exporter) dashboard for Grafana | Grafana Labs - https://grafana.com/grafana/dashboards/13922

[4] helm-charts/values.yaml at master · enix/helm-charts - https://github.com/enix/helm-charts/blob/master/charts/x509-certificate-exporter/values.yaml

[5] Helm | Grafana Labs - https://grafana.com/docs/loki/latest/installation/helm/

[6] helm-charts/charts/kube-prometheus-stack at main · prometheus-community/helm-charts - https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack

[7] Kubernetes Getting Started | Pulumi - https://www.pulumi.com/docs/get-started/kubernetes/

[8] Kubernetes - https://kubernetes.io/

[9] Helm - https://helm.sh/