New to Searchlight? Please start here.

Check ca_cert

Check command ca_cert checks the expiration timestamp of Kubernetes api server CA certificate. No longer you have to get a surprise that the CA certificate for your cluster has expired.


ca_cert check command has the following variables:

  • warning - Condition for warning, compare with tiem left before expiration. (Default: TTL < 360h)
  • critical - Condition for critical, compare with tiem left before expiration. (Default: TTL < 120h)

Execution of this command can result in following states:

  • OK


Before You Begin

At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube.

Now, install Searchlight operator in your cluster following the steps here.

To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial. Run the following command to prepare your cluster for this tutorial:

$ kubectl create namespace demo
namespace "demo" created

$ kubectl get namespaces
NAME          STATUS    AGE
default       Active    6h
kube-public   Active    6h
kube-system   Active    6h
demo          Active    4m

Create Alert

In this tutorial, we are going to create an alert to check ca_cert.

$ cat ./docs/examples/cluster-alerts/ca_cert/demo-0.yaml

kind: ClusterAlert
  name: ca-cert-demo-0
  namespace: demo
  check: ca_cert
    warning: 240h
    critical: 72h
  checkInterval: 30s
  alertInterval: 2m
  notifierSecretName: notifier-config
  - notifier: Mailgun
    state: CRITICAL
    to: [""]
$ kubectl apply -f ./docs/examples/cluster-alerts/ca_cert/demo-0.yaml 
clusteralert "ca-cert-demo-0" created

$ kubectl describe clusteralert ca-cert-demo-0 -n demo
Name:		ca-cert-demo-0
Namespace:	demo
Labels:		<none>
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  9s		9s		1	Searchlight operator			Normal		SuccessfulSync	Applied ClusterAlert: "ca-cert-demo-0"

Voila! ca_cert command has been synced to Icinga2. Please visit here to learn how to configure notifier secret. Now, open IcingaWeb2 in your browser. You should see a Icinga host demo@cluster and Icinga service ca-cert-demo-0.

check ca_cert

Cleaning up

To cleanup the Kubernetes resources created by this tutorial, run:

$ kubectl delete ns demo

If you would like to uninstall Searchlight operator, please follow the steps here.

Next Steps

  • To periodically run various checks on nodes in a Kubernetes cluster, use NodeAlerts.
  • To periodically run various checks on pods in a Kubernetes cluster, use PodAlerts.
  • See the list of supported notifiers here.
  • Wondering what features are coming next? Please visit here.
  • Want to hack on Searchlight? Check our contribution guidelines.

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.