I recently wanted to spot check a certificate for one of our Kubernetes clusters in the EU-West region to ensure it had been updated to the latest version. Normally, I would just load up the website check the certificate with Chrome. However, since we have multiple clusters and use latency-based DNS routing, all my requests get directed to the US-West cluster and not EU-West.
Instead of mucking around with curl or VPNs, I decided to just read the cert directly out of Kubernetes. We are using cert-manager to provision our certificates so all of the certs end up being stored as Secrets.
I put together a quick one-liner that prints out the expiration date for a certificate named CERTNAME:
kubectl get secret CERTNAME -o "jsonpath={.data['tls\.crt']}" | base64 -D | openssl x509 -enddate -noout
If all goes well, you should get a lovely single line of output in your console:
> notAfter=Jun 7 16:00:59 2020 GMT
Here's an explaination of each of the steps.1
kubectl get secret CERTNAME -o "jsonpath={.data['tls\.crt']}": Reads the certificate information stored intls.crtout as Base64 encoded text.base64 -D: Decodes the certificate into plaintext.openssl x509 -enddate -noout: Parses the certificate and prints out the expiration date.
Hopefully this saves you some time if you are trying to do a quick check on your cert expiration!