A Prometheus exporter for certificates focusing on expiration monitoring
5M+
A Prometheus exporter for X.509 certificates, built for Kubernetes first. It watches your cluster's TLS material as native Kubernetes resources — Secrets, ConfigMaps, kubeconfigs, on-disk PKI on the nodes — and turns expirations into actionable Prometheus series. Designed to run inside the cluster it observes, but equally happy as a standalone binary.
kubernetes.io/tls, opaque PEM bundles,
full chains — across all namespaces or a curated subset.ca.crt, custom keys).tryEmptyPassphrase).cluster and user block exposed as its own series.*, **, ?), atomic symlink swaps
detected on the next poll (certbot renewals, kubelet projected ..data/
mounts), and dual deployment: inside the exporter pod or as a
node-local DaemonSet for cluster PKI (kubelet, etcd, kube-apiserver).| Where to go | What you'll find |
|---|---|
| Install on Kubernetes | Helm chart values, secretTypes / PKCS#12 wiring, hostPath PKI DaemonSets |
| Metrics | Per-cert / per-source / health series, label schema, PromQL examples |
| Hardening | Supply-chain verification, SBOM queries, immutable-digest pinning |
| FAQ | Memory sizing, cardinality control, HA, non-Kubernetes use |
| Contributing | Dev loop with Tilt + k3d + Dagger, conventions, release flow |
Content type
Image
Digest
sha256:1b432dd4a…
Size
16.6 MB
Last updated
about 2 months ago
docker pull enix/x509-certificate-exporter:4.2.0-rc.1-busybox