CustomerCertificateExpiring alerts are are sent to subscribers via email.
Observations
Here are the details on the alerts:
Alert: CustomerCertificateExpiring
Expression
(avg(nginx_ingress_controller_ssl_expire_time_seconds{kubernetes_pod_name=".",namespace=".",ingress=~".*"}) by (tenant,host,k8s_cluster_name,k8s_cluster_id) - time()) / (24*60*60) < 14
Delay
0 minutes
Labels
team: customer
Annotations
host
summary
description
tenant
cluster_id
cluster_name
Determine the ingress(es) using the certificate
The alert notes the host certificate that is expiring (or has expired) and the cluster where the ingress is running. Find the ingress using the certificate on the cluster noted in the alert.
Here’s how to find the ingress using kubectl:
kubectl config use-context <cluster in alert>
kubectl get ingress -A | grep "<host in alert>"Copy
Results
Note the namespace of the ingress in the first column and the ingress name in the second column.
dns01 certificates can also be renewed with a DNS acme challenge. To renew the certificate using DNS, a TXT record for the domain _acme-challenge.<YOUR_DOMAIN> must be added to the DNS record.