Perform analysis and checks on Certificates found in the cluster

The certificates analyzer alerts users when a certificate is either invalid or nearing its expiration date. This analyzer's outcome when clause compares the condition specified with the resources present on the certificates.

The when value in an outcome of this analyzer contains the certificates that match the filters, if any filters are defined. If no filters are defined, the when value is based on the validity of the certificate. For pass outcomes, the valid certificate is matched. For fail outcomes, the invalid certificate is matched.

The conditional in the when value supports the following filters:

Filter NameDescription
notAfter < TodayIndicates that the expiration date of the certificate must be earlier than the current day.
notAfter < Today + () daysIndicates that the expiration date of the certificate must be within a certain number of days from the current day. Expressed as a number. For example, 365.

Collectors do not automatically include certificates because they often contain sensitive information. You can include the certificates collector in a set of collectors to collect data about certificates.

Example Analyzer Definition

apiVersion: troubleshoot.sh/v1beta2
kind: SupportBundle
  name: default
    - certificates: 
          - name: envoycert
              - projectcontour
          - name: kube-root-ca.crt
              - kurl
    - certificates: # Iterate through list of certificates
          - pass:
              message: "certificate is valid"
          - warn:
              when: "notAfter < Today + 365 days"
              message: "certificate is about to expire"
          - fail:
              when: "notAfter < Today"
              message: "certificate has expired"
Edit on GitHub