K8s SSL Validity Exporter

Did you know that one of the most common causes of website downtime is expired SSL certificates? When certificates expire, it can cause website and application downtime, which can result in lost revenue and damage to reputation.

Despite its critical importance, not monitoring SSL certificate expiration dates is a common mistake organizations make. In 2018, an expired SSL certificate caused a widespread outage for O2 mobile customers in the UK. And in 2020, a root CA certificate issued by Sectigo expired, causing issues for a large number of websites.

Announcing the K8s SSL Validity Exporter

Facets is excited to introduce K8s SSL Validity Exporter, which provides a central monitoring solution for SSL certificate expiration dates in any Kubernetes cluster. It also exports the metric for the entire certificate chain, including root and intermediate certificates, thus providing a comprehensive solution to this issue.

With our solution in place, you can rest easy knowing that your SSL certificates are being actively monitored.

How does it work?

The exporter scans for Kubernetes ingress objects to determine the unique set of domains to monitor. It then initiates a TLS connection and retrieves the certificate chain for each domain. For each certificate in the chain, the exporter publishes a gauge metric called ssl_expiry, with the number of days until expiry as the gauge value, and relevant labels.

ssl_expiry{common_name="commonName",domain="ssl_expiry.com", ingress="default",namespace=”default”} 9

Installation

The easiest way to deploy our exporter is via deploying the helm chart:

• Add the Facets helm repository:

helm repo add k8s-ssl-validity-exporter https://facets cloud.github.io/k8s-ssl-validity-exporter/charts

• Install the helm chart:

helm install k8s-ssl-validity-exporter k8s-ssl-validity-exporter/k8s-ssl-validity-exporter

In case you use the prometheus-operator, our helm chart creates a ServiceMonitor that ensures that your prometheus is configured to scrape the new ssl_expiry metric.

Setting Up Prometheus Alerts

To configure Prometheus to alert the relevant teams when an SSL certificate is nearing expiration, create a new rule using the following YAML:

apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
  labels:
    alert_group_name: ssl-alert
    role: alert-rules
  name: ssl-expiry
  namespace: default
spec:
  groups:
  - name: ssl-expiry
    partial_response_strategy: ""
    rules:
    - alert: ssl_expiry
      annotations:
        message: The SSL certificate for {{ $labels.domain }} will expire soon.
        summary: The SSL certificate for {{ $labels.domain }} in ingress rule {{ $labels.ingress }}
        will expire in {{ $value }} days.
      expr: ssl_expiry < 7
      for: 1m
      labels:
        resource_name: '{{ $labels.ingress }}'
        resource_type: ingress
        severity: critical
        team: infra
      

With this setup, tracking SSL certificate expiration dates will be a breeze, and you can rest easy knowing that your website is secure.

Before you go…

Facets uses the K8s SSL Validity Exporter extensively in our product, as do our customers, and website downtime due to SSL certificate expiration has become a thing of the past.

We welcome you to try it and let us know your feedback. You can also contribute directly to the Github project.  

At Facets, we solve these types of issues on a daily basis. We recommend you try out our self-serve DevOps automation platform, Facets.cloud. Reach out to our teams for a demo and learn how we can help you transform the last mile of cloud delivery!