New to Searchlight? Please start here.

Check ca-cert

Check command ca-cert checks the expiration timestamp of Kubernetes api server CA certificate. No longer you have to get a surprise that the CA certificate for your cluster has expired.


ca-cert check command has the following variables:

  • warning - Condition for warning, compare with tiem left before expiration. (Default: TTL < 360h)
  • critical - Condition for critical, compare with tiem left before expiration. (Default: TTL < 120h)

Execution of this command can result in following states:

  • OK
  • Warning
  • Critical
  • Unknown


Before You Begin

At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube.

Now, install Searchlight operator in your cluster following the steps here.

To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial. Run the following command to prepare your cluster for this tutorial:

$ kubectl create namespace demo
namespace "demo" created

$ kubectl get namespaces
NAME          STATUS    AGE
default       Active    6h
kube-public   Active    6h
kube-system   Active    6h
demo          Active    4m

Create Alert

In this tutorial, we are going to create an alert to check ca-cert.

$ cat ./docs/examples/cluster-alerts/ca-cert/demo-0.yaml

kind: ClusterAlert
  name: ca-cert-demo-0
  namespace: demo
  check: ca-cert
    warning: 240h
    critical: 72h
  checkInterval: 30s
  alertInterval: 2m
  notifierSecretName: notifier-config
  - notifier: Mailgun
    state: Critical
    to: [""]
$ kubectl apply -f ./docs/examples/cluster-alerts/ca-cert/demo-0.yaml
clusteralert "ca-cert-demo-0" created

$ kubectl describe clusteralert ca-cert-demo-0 -n demo
Name:		ca-cert-demo-0
Namespace:	demo
Labels:		<none>
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  9s		9s		1	Searchlight operator			Normal		SuccessfulSync	Applied ClusterAlert: "ca-cert-demo-0"

Voila! ca-cert command has been synced to Icinga2. Please visit here to learn how to configure notifier secret. Now, open IcingaWeb2 in your browser. You should see a Icinga host demo@cluster and Icinga service ca-cert-demo-0.

check ca-cert

Pause Alert

To pause alert, edit ClusterAlert ca-cert-demo-0 to set spec.paused to be true

$ kubectl edit clusteralert ca-cert-demo-0 -n demo
  pause: true

Searchlight operator will delete Icinga Services for this alert. To resume, edit and set spec.paused to be false

Cleaning up

To cleanup the Kubernetes resources created by this tutorial, run:

$ kubectl delete ns demo

If you would like to uninstall Searchlight operator, please follow the steps here.

Next Steps

  • To periodically run various checks on nodes in a Kubernetes cluster, use NodeAlerts.
  • To periodically run various checks on pods in a Kubernetes cluster, use PodAlerts.
  • See the list of supported notifiers here.
  • Wondering what features are coming next? Please visit here.
  • Want to hack on Searchlight? Check our contribution guidelines.