HN Showcase
Back to browse
GitHub Repository

A Prometheus exporter for X.509 certificates, built for Kubernetes first but equally happy as a standalone binary

932 starsGo

X509-certificate-exporter – Prometheus exporter for TLS cert expiration

by solvik·May 12, 2026·8 points·0 comments
Visit ProjectView on HN

AI Analysis

●●SolidSolve My Problem

Memory-safe watch mode cuts RAM usage 10x on secret-heavy Kubernetes clusters.

Strengths
  • Memory-safe watching prevents RAM spikes when monitoring thousands of certificates
  • SLSA Level 3 provenance and cosign-signed binaries address supply chain security
  • Multi-cluster fan-out allows single instance to monitor distinct kubeconfigs
Weaknesses
  • Crowded category with cert-manager, kubed, and several existing exporters already
  • Requires running inside cluster or having kubeconfig access for remote monitoring
Category
Security
Target Audience

DevOps engineers and SREs managing Kubernetes clusters

Similar To

cert-manager · Kubed · prometheus-community/kube-state-metrics

Post Description

Certificates expire silently. Kubernetes won't warn you, and most teams find out when something breaks. This exporter watches PEM files, kubeconfigs, Kubernetes TLS secrets, and PKCS#12 bundles, and exposes expiration as Prometheus metrics you can alert on. It works standalone too, no Kubernetes required. A Grafana dashboard is included. The new release is a major rewrite, built from experience running this across a large number of production clusters. The main pain point it addresses: at scale, with thousands of certificates, the exporter was putting too much pressure on the Kubernetes API. We also put a lot of care into supply chain security this time around.

Similar Projects

Developer Tools●●Solid

CertWarden – SSL certificate monitoring app for iOS

Native SwiftUI app with a tidy card-based UI and an anonymous, device-tied model — no account required — which is a smart privacy-first choice for a monitoring utility. The backend on Cloudflare Workers keeps the footprint minimal and the one‑time Pro unlock for unlimited domains + webhooks/API is pragmatic, but lack of a web dashboard or multi-device sync limits it to solo operators for now.

Niche GemShip It
ismailperim
204mo ago