groups: - name: x509-certificate-exporter.rules rules: - alert: X509ExporterReadErrors annotations: description: Over the last 15 minutes, this x509-certificate-exporter instance has experienced errors reading certificate files or querying the Kubernetes API. This could be caused by a misconfiguration if triggered when the exporter starts. summary: Increasing read errors for x509-certificate-exporter expr: delta(x509_read_errors[15m]) > 0 for: 5m labels: severity: warning - alert: CertificateError annotations: description: Certificate could not be decoded {{if $labels.secret_name }} in Kubernetes secret "{{ $labels.secret_namespace }}/{{ $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}} summary: Certificate cannot be decoded expr: x509_cert_error > 0 for: 15m labels: severity: warning - alert: CertificateRenewal annotations: description: Certificate for "{{ $labels.subject_CN }}" should be renewed {{if $labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{ $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}} summary: Certificate should be renewed expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28 for: 15m labels: severity: warning - alert: CertificateExpiration annotations: description: Certificate for "{{ $labels.subject_CN }}" is about to expire {{if $labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{ $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}} summary: Certificate is about to expire expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14 for: 15m labels: severity: critical