New to Searchlight? Please start here.
Check command cert checks the expiration timestamp of any certificate from Secrets. No longer you have to get a surprise that your certificates have expired.
cert check command has the following variables:
selector - Selector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’secretName - Name of secret from where certificates are checkedsecretKey - Name of secret key where certificates are keptwarning - Remaining duration for Warning state. [Default: 360h]critical - Remaining duration for Critical state. [Default: 120h]Execution of this command can result in following states:
At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube.
Now, install Searchlight operator in your cluster following the steps here.
To keep things isolated, this tutorial uses a separate namespace called demo throughout this tutorial. Run the following command to prepare your cluster for this tutorial:
$ kubectl create namespace demo
namespace "demo" created
$ kubectl get namespaces
NAME STATUS AGE
default Active 6h
kube-public Active 6h
kube-system Active 6h
demo Active 4m
In this tutorial, we are going to use onessl to issue certificates. Download onessl from kubepack/onessl.
$ onessl create ca-cert
$ onessl create server-cert
Now, we have two certificates ca.crt and server.crt.
Lets create a Secret with these Certificates.
$ kubectl create secret generic server-cert -n demo \
--from-file=./ca.crt --from-file=./server.crt
secret "server-cert" created
$ kubectl get secret -n demo server-cert -o yaml
apiVersion: v1
kind: Secret
metadata:
name: server-cert
namespace: demo
type: Opaque
data:
ca.crt: Y2EuY3J0Cg==
server.crt: c2VydmVyLmNydAo=
In this tutorial, we are going to create an alert to check certificates in Secret.
$ cat ./docs/examples/cluster-alerts/cert/demo-0.yaml
apiVersion: monitoring.appscode.com/v1alpha1
kind: ClusterAlert
metadata:
name: cert-demo-0
namespace: demo
spec:
check: cert
vars:
secretName: server-cert
secretKey: "ca.crt,server.crt"
warning: 240h
critical: 72h
checkInterval: 30s
alertInterval: 2m
notifierSecretName: notifier-config
receivers:
- notifier: Mailgun
state: Critical
to: ["ops@example.com"]
Here,
spec.check provides check command name. In this case, it is cert.spec.vars supports following variables
selector - Label selector for secrets where certificates are stored. Supports ‘=’, ‘==’, and ‘!=’secretName - Name of secret from where certificates are checked.secretKey - List of secret keys where certificates are keptwarning - Remaining duration for Warning state. [Default: 360h]critical - Remaining duration for Critical state. [Default: 120h]
$ kubectl apply -f ./docs/examples/cluster-alerts/cert/demo-0.yaml
clusteralert "cert-demo-0" created
$ kubectl describe clusteralert cert-demo-0 -n demo
Name: cert-demo-0
Namespace: demo
Labels: <none>
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
9s 9s 1 Searchlight operator Normal SuccessfulSync Applied ClusterAlert: "cert-demo-0"
Voila! cert command has been synced to Icinga2. Please visit here to learn how to configure notifier secret. Now, open IcingaWeb2 in your browser. You should see a Icinga host demo@cluster and Icinga service ca-cert-demo-0.
Following notes are important:
secretName and selector both are not provided, all secrets in same namespace will be checked.secretKey is not provided in the alert, and SecretType of a secret is SecretTypeTLS, TLS certificate in tls.crt" will be checked.To cleanup the Kubernetes resources created by this tutorial, run:
$ kubectl delete ns demo
If you would like to uninstall Searchlight operator, please follow the steps here.