NEW: Get project updates onTwitterandMastodon

Prometheus Metrics

To help with operations and insights into cert-manager activities, cert-manager exposes metrics in the Prometheus format from the controller component. These are available at the standard /metrics path of the controller component's configured HTTP port.

Scraping Metrics

How metrics are scraped will depend how you're operating your Prometheus server(s). These examples presume the Prometheus Operator is being used to run Prometheus, and configure Pod or Service Monitor CRDs.

Helm

If you're deploying cert-manager with helm, a ServiceMonitor resource can be configured. This configuration should enable metric scraping, and the configuration can be further tweaked as described in the Helm configuration documentation.

prometheus:
  enabled: true
  servicemonitor:
    enabled: true

Regular Manifests

If you're not using helm to deploy cert-manager and instead using the provided regular YAML manifests, this example PodMonitor and deployment patch should be all you need to start ingesting cert-manager metrics.

  1. Apply the following patch to your cert-manager deployment
spec:
  template:
    spec:
      containers:
        - name: cert-manager-controller
          ports:
            - containerPort: 9402
              name: http
              protocol: TCP
  1. Create the following PodMonitor
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: cert-manager
  namespace: cert-manager
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: "controller"
spec:
  jobLabel: app.kubernetes.io/name
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: "controller"
  podMetricsEndpoints:
    - port: http-metrics
      honorLabels: true

TLS

TLS can be enabled on the metrics endpoint for end-to-end encryption. This is achieved either using pre-signed static certificates, or using the internal dynamic certificate signing.

Static certificates

Static certificates can be provided to the cert-manager controller to use when listening on the metric endpoint. If the certificate files are changed then cert-manager will reload the certificates for zero-downtime rotation.

Static certificates can be specified via the flags --metrics-tls-cert-file and --metrics-tls-private-key-file or the corresponding config file parameters metricsTLSConfig.filesystem.certFile and metricsTLSConfig.filesystem.keyFile.

The certificate and private key must be mounted into the controller pod for this to work, if cert-manager is deployed using helm the .volumes[] and .mounts[] properties can facilitate this.

An example config file would be:

apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration
metricsTLSConfig:
  filesystem:
    certFile: "/path/to/cert.pem"
    keyFile: "/path/to/key.pem"

Dynamic certificates

In this mode cert-manager will create a CA in a named secret, then use this CA to sign the metrics endpoint certificate. This mode will also take care of rotation, auto rotating the certificate as required.

Dynamic certificates can be specified via the flags --metrics-dynamic-serving-ca-secret-namespace, --metrics-dynamic-serving-ca-secret-name and --metrics-dynamic-serving-dns-names or the corresponding config file parameters metricsTLSConfig.dynamic.secretNamespace, metricsTLSConfig.dynamic.secretName and metricsTLSConfig.dynamic.dnsNames.

An example config file would be:

apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration
metricsTLSConfig:
  dynamic:
    secretNamespace: "cert-manager"
    secretName: "cert-manager-metrics-ca"
    dnsNames:
    - cert-manager-metrics
    - cert-manager-metrics.cert-manager
    - cert-manager-metrics.cert-manager.svc

When using Prometheus the CA generated by the generated certificate authority can be trusted as part of the PodMonitor or ServiceMonitor spec:

apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: cert-manager
  namespace: cert-manager
  labels:
    app: cert-manager
    app.kubernetes.io/name: cert-manager
    app.kubernetes.io/instance: cert-manager
    app.kubernetes.io/component: "controller"
spec:
  jobLabel: app.kubernetes.io/name
  selector:
    matchLabels:
      app: cert-manager
      app.kubernetes.io/name: cert-manager
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: "controller"
  podMetricsEndpoints:
    - port: http-metrics
      scheme: https
      honorLabels: true
      # TLS config trusting the CA and specifying the server name
      tlsConfig:
        serverName: cert-manager-metrics
        ca:
          secret:
            name: cert-manager-metrics-ca
            key: "tls.crt"

Monitoring Mixin

Monitoring mixins are a way to bundle common alerts, rules, and dashboards for an application in a configurable and extensible way, using the Jsonnet data templating language. A cert-manager monitoring mixin can be found here https://gitlab.com/uneeq-oss/cert-manager-mixin. Documentation on usage can be found with the cert-manager-mixin project.