manifests/rules/x509-exporter.yaml

groups:
  - name: x509-certificate-exporter.rules
    rules:
      - alert: X509ExporterReadErrors
        annotations:
          description:
            Over the last 15 minutes, this x509-certificate-exporter instance
            has experienced errors reading certificate files or querying the Kubernetes
            API. This could be caused by a misconfiguration if triggered when the exporter
            starts.
          summary: Increasing read errors for x509-certificate-exporter
        expr: delta(x509_read_errors[15m]) > 0
        for: 5m
        labels:
          severity: warning
      - alert: CertificateError
        annotations:
          description:
            Certificate could not be decoded {{if $labels.secret_name }} in
            Kubernetes secret "{{ $labels.secret_namespace }}/{{ $labels.secret_name }}"{{else}}at
            location "{{ $labels.filepath }}"{{end}}
          summary: Certificate cannot be decoded
        expr: x509_cert_error > 0
        for: 15m
        labels:
          severity: warning
      - alert: CertificateRenewal
        annotations:
          description:
            Certificate for "{{ $labels.subject_CN }}" should be renewed {{if
            $labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{
            $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}}
          summary: Certificate should be renewed
        expr:
          ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="",
          issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28
        for: 15m
        labels:
          severity: warning
      - alert: CertificateExpiration
        annotations:
          description:
            Certificate for "{{ $labels.subject_CN }}" is about to expire {{if
            $labels.secret_name }}in Kubernetes secret "{{ $labels.secret_namespace }}/{{
            $labels.secret_name }}"{{else}}at location "{{ $labels.filepath }}"{{end}}
          summary: Certificate is about to expire
        expr:
          ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="",
          issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14
        for: 15m
        labels:
          severity: critical