New to Searchlight? Please start here.

Check cert

Check command cert checks the expiration timestamp of any certificate from Secrets. No longer you have to get a surprise that your certificates have expired.

Spec

cert check command has the following variables:

  • selector - Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’
  • secretName - Name of secret from where certificates are checked
  • secretKey - Name of secret key where certificates are kept
  • warning - Remaining duration for Warning state. [Default: 360h]
  • critical - Remaining duration for Critical state. [Default: 120h]

Execution of this command can result in following states:

  • OK
  • Warning
  • Critical
  • Unknown

Tutorial

Before You Begin

At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube.

Now, install Searchlight operator in your cluster following the steps here.

To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial. Run the following command to prepare your cluster for this tutorial:

$ kubectl create namespace demo
namespace "demo" created

$ kubectl get namespaces
NAME          STATUS    AGE
default       Active    6h
kube-public   Active    6h
kube-system   Active    6h
demo          Active    4m

Create a Secret

In this tutorial, we are going to use onessl to issue certificates. Download onessl from kubepack/onessl.

$ onessl create ca-cert
$ onessl create server-cert

Now, we have two certificates ca.crt and server.crt.

Lets create a Secret with these Certificates.

$ kubectl create secret generic server-cert -n demo \
        --from-file=./ca.crt --from-file=./server.crt

secret "server-cert" created
$ kubectl get secret -n demo server-cert -o yaml
apiVersion: v1
kind: Secret
metadata:
  name: server-cert
  namespace: demo
type: Opaque
data:
  ca.crt: Y2EuY3J0Cg==
  server.crt: c2VydmVyLmNydAo=

Create Alert

In this tutorial, we are going to create an alert to check certificates in Secret.

$ cat ./docs/examples/cluster-alerts/cert/demo-0.yaml

apiVersion: monitoring.appscode.com/v1alpha1
kind: ClusterAlert
metadata:
  name: cert-demo-0
  namespace: demo
spec:
  check: cert
  vars:
    secretName: server-cert
    secretKey: "ca.crt,server.crt"
    warning: 240h
    critical: 72h
  checkInterval: 30s
  alertInterval: 2m
  notifierSecretName: notifier-config
  receivers:
  - notifier: Mailgun
    state: Critical
    to: ["ops@example.com"]

Here,

  • spec.check provides check command name. In this case, it is cert.

  • spec.vars supports following variables

    • selector - Label selector for secrets where certificates are stored. Supports ‘=’, ‘==’, and ‘!=’
    • secretName - Name of secret from where certificates are checked.
    • secretKey - List of secret keys where certificates are kept
    • warning - Remaining duration for Warning state. [Default: 360h]
    • critical - Remaining duration for Critical state. [Default: 120h]
$ kubectl apply -f ./docs/examples/cluster-alerts/cert/demo-0.yaml
clusteralert "cert-demo-0" created

$ kubectl describe clusteralert cert-demo-0 -n demo
Name:		cert-demo-0
Namespace:	demo
Labels:		<none>
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  9s		9s		1	Searchlight operator			Normal		SuccessfulSync	Applied ClusterAlert: "cert-demo-0"

Voila! cert command has been synced to Icinga2. Please visit here to learn how to configure notifier secret. Now, open IcingaWeb2 in your browser. You should see a Icinga host demo@cluster and Icinga service ca-cert-demo-0.

Following notes are important:

  • If secretName and selector both are not provided, all secrets in same namespace will be checked.
  • If secretKey is not provided in the alert, and SecretType of a secret is SecretTypeTLS, TLS certificate in tls.crt" will be checked.

Cleaning up

To cleanup the Kubernetes resources created by this tutorial, run:

$ kubectl delete ns demo

If you would like to uninstall Searchlight operator, please follow the steps here.

Next Steps

  • To periodically run various checks on nodes in a Kubernetes cluster, use NodeAlerts.
  • To periodically run various checks on pods in a Kubernetes cluster, use PodAlerts.
  • See the list of supported notifiers here.
  • Wondering what features are coming next? Please visit here.
  • Want to hack on Searchlight? Check our contribution guidelines.