Provide the ability to monitor the SSL certificates used by nginx-ingress

We had a conversation with PF9 about the possibility of adding the ability to monitor the SSL certificate expiration of the nginx ingress endpoints.

In our previous platform we monitor the expiration by adding a PrometheusRule resource, another option would be to expose the configuration of the black-box exporter in order to define the HTTPS URL to be monitored.

Here is the Prometheus Rule that can be used to monitor the expiration metric exposed by the nginx ingress:

apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: prometheus-rules-nginx-ingress-ssl-cert-expiry
namespace: rackspace-system
spec:
groups:
- name: ssl_cert_expiry
rules:
- record: nginx_ingress_controller_ssl_expire_time_days:avg
expr: |
(avg(nginx_ingress_controller_ssl_expire_time_seconds{}) by (host) - time()) / 86400
- alert: SSLCertExpiryWarn
annotations:
summary: 'The SSL certificate {{ $labels.host }} in less than 30 days'
description: 'The SSL certificate will expire in {{ humanize $value }} days'
expr: |
nginx_ingress_controller_ssl_expire_time_days:avg < 30
for: 5m
labels:
severity: warning
- alert: SSLCertExpiryCrit
annotations:
summary: 'The SSL certificate {{ $labels.host }} in less than 7 days'
description: 'The SSL certificate will expire in {{ humanize $value }} days'
expr: |
nginx_ingress_controller_ssl_expire_time_days:avg < 7
for: 5m
labels:
severity: critical
  • Guest
  • May 23 2022
  • Attach files
  • Guest commented
    August 29, 2022 07:04

    Ensure subway surfers that the SSL certificates used by nginx-ingress are valid. In particular, check that the bit length and key size match those of the certificate being used.