Question 1

How to set up certificate expiry monitor in Kubernetes?

Accepted Answer

Deploy using the provided Kubernetes manifest, configuring flags like -labels for pod selection and -domains for target certificates, and expose the /metrics endpoint for Prometheus scraping.

Question 2

Certificate expiry monitor vs cert-manager: which should I use?

Accepted Answer

Certificate expiry monitor is for monitoring and alerting on expiring TLS certificates, while cert-manager handles issuance and renewal. They are complementary; use both for full certificate lifecycle management in Kubernetes.

Question 3

How to create Prometheus alerts for expiring certificates?

Accepted Answer

Leverage metrics like certificate_expiry_monitor_seconds_until_cert_expires to define alert rules in Prometheus, such as alerting when certificates have less than 30 days until expiry.

Question 4

Can it monitor external domains not in Kubernetes?

Accepted Answer

No, it's designed specifically for Kubernetes pods and ingresses; for external servers, you'll need a different monitoring solution or custom integration.

Question 5

What if my pods use self-signed certificates?

Accepted Answer

It can connect using the -insecure flag to bypass verification, but this should be used cautiously in trusted environments to avoid masking potential security issues.

Question 6

How to exclude certain domains from being checked?

Accepted Answer

Use the -ignoredDomains flag with regex patterns, e.g., /.*\.test\.com$/ to ignore all test.com subdomains, as explained in the command-line help.

certificate-expiry-monitor

What is certificate-expiry-monitor?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions