Prometheus exporter for x509 certificates written in Go. node-cert-exporter will parse SSL certificates in a number of directories recursively and expose their expiry as a Prometheus metric at /metrics. It can run on Kubernetes as a Deployment or DaemonSet, or using Docker.
This project is currently in beta and is looking for contributors. Feel free to leave your feedback using issues or pull requests.
kubectl apply -f https://raw.githubusercontent.com/amimof/node-cert-exporter/master/deploy/daemonset.yml
docker run -p 9117:9117 ghcr.io/amimof/node-cert-exporter --logtostderr=true --include-glob /etc/ssl/*/*.pem
helm repo add node-cert-exporter https://amimof.github.io/node-cert-exporter
helm repo update
helm install node-cert-exporter node-cert-exporter/node-cert-exporter
curl -LOs https://github.com/amimof/node-cert-exporter/releases/latest/download/node-cert-exporter-linux-amd64 && chmod +x node-cert-exporter-linux-amd64
./node-cert-exporter-linux-amd64 --include-glob /etc/ssl/*/*.pem
git clone https://github.com/amimof/node-cert-exporter.git
cd node-cert-exporter
make
Once the the node-cert-exporter is scraped by Prometheus, the metrics can easily be visualized using Grafana. Get started by using the Node Cert Exporter dashboard hosted at grafana.com.
node-cert-exporter exports the following metrics:
Absolute time in seconds until the certificate expires. This metric is useful for tracking when a certificate will expire.
Example Prometheus alert rule:
- alert: CertificateExpiresIn7Days
expr: ssl_certificate_expiry_seconds < (7 * 24 * 3600)
annotations:
summary: "Certificate {{ $labels.path }} expires in less than 7 days"Relative ratio of remaining certificate lifetime to total validity period. This metric ranges from:
- 1.0: Certificate was just issued (100% of lifetime remaining)
- 0.5: 50% of certificate lifetime remaining
- 0.0: Certificate has expired
This metric is particularly useful for triggering alerts based on relative timeranges, such as when 50% of the certificate lifetime has been consumed.
Example Prometheus alert rule:
- alert: Certificate50PercentLifetimeReached
expr: ssl_certificate_expiry_ratio < 0.5
annotations:
summary: "Certificate {{ $labels.path }} has less than 50% of its lifetime remaining"
- alert: Certificate80PercentConsumed
expr: ssl_certificate_expiry_ratio < 0.2
annotations:
summary: "Certificate {{ $labels.path }} has consumed 80% of its lifetime (20% remaining)"All help in any form is highly appreciated and your are welcome participate in developing together. To contribute submit a Pull Request. If you want to provide feedback, open up a Github Issue or contact me personally.