Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-3145

[KAFKA] Add metrics for time to certificate expiration

    XMLWordPrintable

Details

    • False
    • False
    • Undefined

    Description

      The impetus for this comes from ENTMQST-2632.

      The idea is to expose a metric in the broker for each certificate's notAfter time (literally the notAfter of the cert expresses as #seconds from the epoch).

      Certs are reconfigurable, so it could change during runtime. The idea is that once that metric is consumed by something like Prometheus (using e.g. prometheus time query) users could set an alert for knowing when their certs would expire.

      We could do this in a metric reporter too, but it would be a nice feature for Kafka itself.

      It might be a little more complicated than this, since it would be nice to validate the whole cert chain, not just the end-entity certificate, but Java has APIs for that.

      The above will require a KIP.

      Attachments

        Activity

          People

            Unassigned Unassigned
            tom.n.cooper Thomas Cooper (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: