waji // devops notes

x509 Certificate Exporter

KubernetesMonitoring

Links for reference:

https://artifacthub.io/packages/helm/enix/x509-certificate-exporter

https://hub.docker.com/r/enix/x509-certificate-exporter

https://kubesphere.io/blogs/x509-certificate-exporter/

 

 

The helm chart provides a facility to deploy DaemonSets so that each node of a cluster can run its own x509-certificate-exporter and export metrics for host files :

  • etcd server and client certificates
  • Kubernetes CA
  • kube-apiserver certificates
  • kubelet certificates
  • kubeconfig files with embedded certificates
  • etc. Obviously it also works with any other application deployed on cluster nodes as long as it uses PEM encoded certficates (deployment agents, security tools, etc.).

(more detail in the artifacthub.io page)

 

Currently deployed as following in my home cluster

apiVersion: apps/v1
kind: Deployment
metadata:
  name: x509-exporter
  namespace: monitoring
  labels:
    app: x509-exporter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: x509-exporter
  template:
    metadata:
      labels:
        app: x509-exporter
    spec:
      containers:
      - name: x509
        image: enix/x509-certificate-exporter
        command: ["/x509-certificate-exporter"]
        args: ["-k", "/home/bastion/.kube/config"]
        ports:
        - containerPort: 9793

---
apiVersion: v1
kind: Service
metadata:
  name: x509-exporter-svc
  namespace: monitoring
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 9793
    protocol: TCP
    targetPort: 9793
  selector:
    app: x509-exporter
  sessionAffinity: None
  type: ClusterIP

---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: x509-exporter-monitor
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: x509-exporter
  endpoints:
  - port: "9793"  # The port your exporter is listening on
    path: /metrics  # The path where the metrics are exposed
  namespaceSelector:
    matchNames:
    - monitoring  # The namespace where your service is deployed

 

But I think I need to deploy the above as a host port with 9793 node open as the endpoints for x509 exporter and node exporter shows different IP addresses:

[bastion@bastion 509 (⎈|home:)]$ k get endpoints -n monitoring 
NAME                                      ENDPOINTS                                                     AGE
alertmanager-operated                     10.233.103.144:9094,10.233.103.144:9094,10.233.103.144:9093   51d
grafana-reporter-svc                      10.233.103.151:8686                                           2d
prometheus-grafana                        10.233.103.160:8081,10.233.103.160:3000                       51d
prometheus-kube-prometheus-alertmanager   10.233.103.144:8080,10.233.103.144:9093                       51d
prometheus-kube-prometheus-operator       10.233.103.166:10250                                          51d
prometheus-kube-prometheus-prometheus     10.233.103.135:8080,10.233.103.135:9090                       51d
prometheus-kube-state-metrics             10.233.103.136:8080                                           51d
prometheus-operated                       10.233.103.135:9090                                           51d
prometheus-prometheus-node-exporter       192.168.219.246:9100,192.168.219.247:9100                     51d
x509-exporter-svc                         10.233.103.168:9793                                           45m

As we can see, the node exporter endpoint has hostport network while the x509 exporter is running on the overlay network.. Lets see what happens tomorrow

 

← back