cert-manager Integration
Certificate expiry tracking, issuance latency, and renewal event monitoring for cert-manager. Never get surprised by an expired certificate again — TigerOps tracks every cert across all your clusters.
How It Works
Scrape cert-manager Metrics
TigerOps scrapes cert-manager controller Prometheus metrics from the controller-manager pod. Enable the --enable-certificate-owner-ref flag and expose metrics on port 9402.
Configure Certificate Monitoring
Add the cert-manager metrics endpoint to TigerOps scrape config. TigerOps collects certificate expiry timestamps, renewal attempt counts, and issuance latency histograms automatically.
Set Expiry Alerts
Configure expiry alerts at 30, 14, and 7 days before certificate expiration. TigerOps evaluates certmanager_certificate_expiration_timestamp_seconds against current time continuously.
Monitor Renewal Health
TigerOps tracks cert-manager ACME order and challenge events. Alert on failed ACME challenges, repeated renewal failures, and certificates that have not renewed within the expected window.
What You Get Out of the Box
Certificate Expiry Countdown
Track days until expiry for every certificate managed by cert-manager. TigerOps dashboards show expiry countdowns per namespace, issuer, and secret name — across all your Kubernetes clusters.
ACME Order and Challenge Monitoring
Monitor ACME HTTP-01 and DNS-01 challenge states and completion times. TigerOps alerts on stuck challenges (pending >10 minutes) and tracks the order success/failure rate per ACME issuer.
Certificate Issuance Latency
Track how long cert-manager takes to issue new certificates from RequestCertificate to Ready state. TigerOps histograms show p50/p95/p99 issuance latency per issuer and certificate type.
Renewal Failure Detection
cert-manager emits Kubernetes events on renewal failures. TigerOps ingests these events and fires alerts when a certificate fails renewal more than once in a configurable window.
Issuer Health Monitoring
Track cert-manager Issuer and ClusterIssuer ready status. TigerOps alerts when an issuer transitions to NotReady, preventing silent certificate renewal failures across an entire namespace.
Certificate Rotation Rate Tracking
Monitor certificate rotation frequency per namespace and issuer. Track whether short-lived certificates (90-day ACME) are renewing on schedule — at the 2/3 lifetime renewal point.
TigerOps Scrape Config for cert-manager
Configure TigerOps to scrape cert-manager metrics and set certificate expiry alert rules.
# TigerOps scrape configuration for cert-manager
scrape_configs:
- job_name: cert-manager
kubernetes_sd_configs:
- role: pod
namespaces:
names: [cert-manager]
relabel_configs:
- source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name]
action: keep
regex: cert-manager
- source_labels: [__address__]
target_label: __address__
replacement: "${1}:9402"
# Alert rules for cert-manager
# tigerops-certmanager-alerts.yaml
alert_rules:
- name: cert-manager-certificate-expiry
rules:
- alert: CertificateExpiringSoon
expr: |
(certmanager_certificate_expiration_timestamp_seconds
- on(namespace, name) certmanager_clock_time_seconds) < (30 * 24 * 3600)
for: 5m
labels:
severity: warning
annotations:
summary: "Certificate {{ $labels.namespace }}/{{ $labels.name }} expires in < 30 days"
- alert: CertificateExpiryCritical
expr: |
(certmanager_certificate_expiration_timestamp_seconds
- on(namespace, name) certmanager_clock_time_seconds) < (7 * 24 * 3600)
for: 1m
labels:
severity: critical
annotations:
summary: "Certificate {{ $labels.namespace }}/{{ $labels.name }} expires in < 7 days"
- alert: CertificateNotReady
expr: certmanager_certificate_ready_status{condition="False"} == 1
for: 10m
labels:
severity: criticalCommon Questions
Which cert-manager metrics does TigerOps collect?
TigerOps collects all cert-manager controller metrics: certmanager_certificate_expiration_timestamp_seconds, certmanager_certificate_ready_status, certmanager_controller_sync_call_count, certmanager_http_acme_client_request_duration_seconds, and certmanager_clock_time_seconds.
How early does TigerOps alert before a certificate expires?
Default alert thresholds are 30 days (warning) and 7 days (critical). You can configure custom thresholds per namespace or per certificate common name. TigerOps evaluates expiry continuously rather than on a daily schedule.
Can TigerOps detect when cert-manager stops renewing certificates silently?
Yes. TigerOps checks that certificates with a 90-day validity are renewed at the expected 2/3 lifetime mark (day 60). If a certificate's notAfter timestamp has not advanced within the expected renewal window, TigerOps fires a "missed renewal" alert.
Does TigerOps support monitoring cert-manager across multiple Kubernetes clusters?
Yes. Deploy the TigerOps agent or configure remote scraping for each cluster. Tag metrics with cluster_name. TigerOps provides a cross-cluster certificate expiry dashboard showing all certificates sorted by days remaining.
How does TigerOps monitor ACME DNS-01 challenge completion time?
TigerOps tracks cert-manager ACME order timestamps from Order Created to Order Valid state. DNS-01 challenges that take longer than expected (typically >5 minutes for propagation) trigger a latency anomaly alert in TigerOps.
Never Be Surprised by an Expired Certificate Again
Cross-cluster expiry tracking, ACME challenge monitoring, and renewal failure detection. Complete cert-manager observability in minutes.