https://hub.docker.com/r/enix/x509-certificate-exporter/tags

使用 x509-certificate-exporter 监控 Kubernetes 集群组件的证书 ：连接

1- 镜像 x509-certificate-exporter

nix/x509-certificate-exporter:3.12.0

2- 部署:

3- 添加报警规则：

ssl_exporter_rules.yml

groups: 
  - name: SSL证书监测
    rules:
    - alert: 证书还有30天过期
      expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 300
      for: 5m
      labels:
        severity: 重要告警
      annotations:
        summary: "SSL证书即将过期 (instance {{ $labels.instance }})"
        description: "SSL证书即将30天内过期 VALUE = {{ $value }}\n  LABELS: {{ $labels }}"
        
    - alert: 证书已过期
      expr: probe_ssl_earliest_cert_expiry - time()  <= 0
      for: 5m
      labels:
        severity: 严重告警
      annotations:
        summary: "SSL证书已经过期 (instance {{ $labels.instance }})"
        description: "SSL证书已经过期\n  VALUE = {{ $value }}\n  LABELS: {{ $labels }}"

这里没有数据 说明 x509-certificate-exporter 没有获取到数据。

因为要指定到证书路径，

这里就放弃这种方法了

直接用 现成的模版 x509-certificate-exporter

1-添加 enix 应用仓库

https://charts.enix.io

进入应用配置页面。

需要手动编辑配置清单，指定证书文件的路径。

  daemonSets:

    master:

      nodeSelector:

        node-role.kubernetes.io/master: ''

      tolerations:

        - effect: NoSchedule

          key: node-role.kubernetes.io/master

          operator: Exists

      watchFiles:

        - /var/lib/kubelet/pki/kubelet-client-current.pem

        - /etc/kubernetes/pki/apiserver.crt

        - /etc/kubernetes/pki/apiserver-kubelet-client.crt

        - /etc/kubernetes/pki/ca.crt

        - /etc/kubernetes/pki/front-proxy-ca.crt

        - /etc/kubernetes/pki/front-proxy-client.crt

      watchKubeconfFiles:

        - /etc/kubernetes/admin.conf

        - /etc/kubernetes/controller-manager.conf

        - /etc/kubernetes/scheduler.conf

    nodes:

      tolerations:

        - effect: NoSchedule

          key: node-role.kubernetes.io/ingress

          operator: Exists

      watchFiles:

        - /var/lib/kubelet/pki/kubelet-client-current.pem

        - /etc/kubernetes/pki/ca.crt