Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log issuer certificate expiry #13615

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

n-oden
Copy link
Contributor

@n-oden n-oden commented Jan 30, 2025

Problem: There is currently no simple way to monitor the expiration time of the issuer certificate in use by linkerd; a surprising omission considering that issuer cert expiration will almost certainly cause visible cluster issues.

Solution: When a new issuer certificate is loaded, log its NotAfter time in unix epoch format, along with the current process wall clock time. The two timestamps are passed in via the logrus Fields pattern, allowing operators to easily pull these numbers from pod logs.

Fixes: #11215

When a new issuer certificate is loaded, log its NotAfter time
in unix epoch format, along with the current process wall clock time.

This addresses linkerd#11215

Signed-off-by: Nathan J. Mehl <[email protected]>
@n-oden n-oden requested a review from a team as a code owner January 30, 2025 19:10
@n-oden
Copy link
Contributor Author

n-oden commented Jan 30, 2025

cc: @whickman :)

@n-oden
Copy link
Contributor Author

n-oden commented Jan 30, 2025

(IMO it would be somewhat preferable to expose this as a prometheus metric, but to put it mildly I found the internal metrics story here opaque. If someone wanted to hold my hand a bit, I'd happily add it. But in the meantime, the log line should suffice for the basic case.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Metrics for certificate expiry
1 participant