Parameters

The parent key for all of the following parameters is cert_exporter.

`images`

type	dictionary

Dictionary containing the container images used by this component.

`charts`

type	dictionary

Dictionary containing the helm charts used by this component.

`alerts`

type	dictionary

Configuration parameters related to influencing the resulting alert rules.

`ignoreNames`

type	list
default	`[]`

This parameter can be used to disable alerts provided by cert-exporter. The component supports removing entries in this parameter by providing the entry prefixed with ~.

`patchRules`

type	dict
default	{}

This parameter allows users to patch upstream alert. The keys in the parameter correspond to the field alertname of the alert to patch. The component expects valid partial Prometheus alert rule objects as values.

The provided values aren’t validated, they’re applied to the corresponding upstream alert as-is.

Example

patchRules:
  SYN_CertificateExpiration:
    expr: '((x509_cert_not_after{secret_namespace=~"(syn|vshn).*"} - time()) / 86400) < 14'

`include_namespaces`

type	list
default	[]

Restrict the list of namespaces the TLS Secrets exporter should scan for certificates to watch (all namespaces if empty).

`exclude_namespaces`

type	list
default	[]

Exclude namespaces from being scanned by the TLS Secrets exporter (evaluated after include_namespaces).

`include_labels`

type	list
default	[]

Only watch TLS Secrets having those labels (all secrets if empty). Items can be keys such as my-label or also require a value with the syntax my-label=my-value.

`exclude_labels`

type	list
default	[]

Exclude TLS Secrets having those labels. Items can be keys such as my-label or also require a value with the syntax my-label=my-value.

`watch_dirs`

type	list
default	[]

List of directory paths of the host to scan for PEM encoded certificate files to be watched and exported as metrics (one level deep).

`watch_files`

type	list
default	[]

List of file paths of the host for PEM encoded certificates to be watched and exported as metrics.

`watch_kubeconf`

type	list
default	[]

List of Kubeconf file paths of the host to scan for embedded certificates to export metrics about.

`openshift_cluster_monitoring`

type	bool
default	`true`

Adds the openshift.io/cluster-monitoring=true label to the cert-exporter namespace if OpenShift is detected.

`daemonsets`

type	map
default	{}

Configure the host-path exporter to watch certificates stored on the node itself. See the example below on how to enable a daemon set and read the documentation of the helm chart.

Example

ignore_alerts:
  - X509ExporterReadErrors
include_namespaces:
  - openshift-ingress
watch_dirs:
  - /etc/kubernetes/ssl
daemonsets:
  master:
    nodeSelector:
      node-role.kubernetes.io/master: ""
    tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
  worker:
    nodeSelector:
      node-role.kubernetes.io/worker: ""