Charmed Blackbox Exporter

  • Canonical Observability
Channel Revision Published Runs on
latest/stable 17 28 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
latest/stable 1 16 Jan 2024
Ubuntu 22.04 Ubuntu 20.04
latest/candidate 17 22 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
latest/candidate 1 12 Dec 2023
Ubuntu 22.04 Ubuntu 20.04
latest/beta 17 01 Aug 2024
Ubuntu 22.04 Ubuntu 20.04
latest/beta 1 22 Nov 2023
Ubuntu 22.04 Ubuntu 20.04
latest/edge 21 26 Nov 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 1 08 Jun 2021
Ubuntu 22.04 Ubuntu 20.04
juju deploy blackbox-exporter-k8s
Show information

Platform:

Monitoring SSL Certificates

You want to observe your SSL Certificates but don’t know how?

This tutorial will teach you to:

  • monitor your certificates from a cool Grafana dashboard;
  • get alerts when your certificates are about to expire.

Tools

All we need to get started is a few Observability charms. Let’s go through them.

Blackbox Exporter (blackbox-exporter-k8s) is a Prometheus exporter that allows running different kinds of probes (e.g., HTTP, HTTPS, DNS, TCP, ICMP, etc.). When a probe is executed, the exporter returns its results in a metrics page, which can be scraped by Prometheus.
Different probes produce different information: running HTTPS probes gives insights on the SSL certificate expiration time with the probe_ssl_earliest_cert_expiry metric, which is the “last SSL chain expiry in unixtime” (source).

Prometheus (prometheus-k8s) collects and stores metrics as time series data. We will configure it to periodically run the Blackbox Exporter probes.

Alertmanager (alertmanager-k8s) fires alerts and notifies us when the SSL certificates we’re monitoring are about to expire.

Grafana (grafana-k8s) allows us to visualize the information in fancy dashboards.

Step-by-step process

Set up the probes

Start by creating a model (on a Kubernetes controller) for this tutorial, and deploy the Blackbox Exporter.

juju add-model tutorial-blackbox
juju deploy blackbox-exporter-k8s blackbox --trust

You can read a thorough explanation of how to use Blackbox Exporter in our documentation. For the purpose of this tutorial, we need to create a configuration file (which we’ll call probes.yaml) that specifies which HTTPS endpoints should be probed, and then pass it to the exporter.

--- # probes.yaml
scrape_configs:
  - job_name: 'tutorial-blackbox'  # anything you want
    metrics_path: /probe
    params:
      module: [http_2xx]  # Look for a HTTP 200 response.
    static_configs:
      - targets: # List of HTTPS endpoints to observe
        - https://canonical.com
        - https://ubuntu.com
        - https://juju.is
        - https://charmhub.io
        - https://discourse.charmhub.io
        - https://snapcraft.io

Pass the entire file to the Blackbox Exporter charm via juju config:

juju config blackbox probes_file='@probes.yaml'

To have Prometheus execute the probes, simply deploy it and relate it to Blackbox Exporter:

juju deploy prometheus-k8s prometheus --trust
juju relate blackbox prometheus:metrics-endpoint

You can now navigate to the Prometheus url (on port 9090) and, after waiting for at least 60 seconds for Prometheus to scrape the exporter for the first time, you’ll be able to type probe_ssl_earliest_cert_expiry and see the data in Prometheus.

But this raw data is not useful on its own: let’s leverage the integrations with Grafana and Alertmanager to get some insights on the certificates we want to observe.

Utilize the data

Dashboard and alert rules are automatically bundled with the Blackbox Exporter charm. All we need to do is deploy Grafana and Alertmanager, then wire everything up.

# Deploy the remaining charms
juju deploy grafana-k8s grafana --trust
juju deploy alertmanager-k8s alertmanager --trust

# Create the necessary relations
juju relate prometheus:grafana-source grafana  # Use and configure Prometheus as a datasource in Grafana
juju relate prometheus:alertmanager alertmanager  # Alertmanager can fire notifications when an alert is triggered in Prometheus
juju relate blackbox:grafana-dashboard grafana  # Send the dashboards bundled in Blackbox Exporter to Grafana

Check the alerts in Alertmanager

Navigate to the Alertmanager UI (on port 9093). You’ll see the alerts that Blackbox Exporter is sending to Prometheus over the metrics-endpoint relation.

You’ll get two types of alerts:

  • a warning alert, when the certificate will expire in less than 30 days;
  • a critical alert, when the certificate will expire in less than 15 days.

If you want to add different alerts, you can use the cos-configuration-k8s charm to send extra alert rules to Prometheus from a Git repository.

To configure Alertmanager to send you notifications, check our documentation.

Look at the Grafana dashboard

Navigate to Grafana (on port 3000) to take a look at the dashboard. Login with the default admin account: you can get its password by running the get-admin-password action:

juju run grafana/leader get-admin-password

Use the sidebar to navigate to the dashboards, and open the “Blackbox Exporter” one in the “General” folder. The dashboard has lots of information, but the part related to certificate expiration should look like this:

You can sort the table by Certificate Validity by simply clicking on the header, so you can immediately see which certificates will expire first.


Help improve this document in the forum (guidelines). Last updated 3 months ago.