christophlehmann/check_k8s_certificate_expiration.sh

## check_k8s_certificate_expiration.sh
#!/bin/bash

# 2 weeks
warn_in_seconds=1209600

for namespace in $(kubectl get ns | grep -v ^NAME | awk '{print $1}')
do
  for secret in $(kubectl -n $namespace get secrets | grep kubernetes.io/tls | awk '{print $1}')
  do
    cert=$(kubectl -n $namespace get secret $secret -o json | jq -r '.data["tls.crt"]')
    # Cert may be empty when not created yet
    if [ -z "$cert" ]
    then
      continue
    fi

    notAfter=$(echo -n "$cert" | base64 -d | openssl x509 -enddate -noout)
    if [ -z "$notAfter" ]
    then
      echo "Error: Can not check expiration date of tls secret $namespace/$secret"
      continue
    fi

    dateString=$(echo $notAfter | sed -e 's/notAfter=//')
    target_timestamp=$(date -d "$dateString" +%s)
    current_timestamp=$(date +%s)
    difference=$(expr $target_timestamp - $current_timestamp)

    if [ "$difference" -lt "$warn_in_seconds" ]
    then
      echo "Certificate $namespace/$secret expires on $dateString"
    fi
  done
done
	#!/bin/bash

	# 2 weeks
	warn_in_seconds=1209600

	for namespace in $(kubectl get ns \| grep -v ^NAME \| awk '{print $1}')
	do
	for secret in $(kubectl -n $namespace get secrets \| grep kubernetes.io/tls \| awk '{print $1}')
	do
	cert=$(kubectl -n $namespace get secret $secret -o json \| jq -r '.data["tls.crt"]')
	# Cert may be empty when not created yet
	if [ -z "$cert" ]
	then
	continue
	fi

	notAfter=$(echo -n "$cert" \| base64 -d \| openssl x509 -enddate -noout)
	if [ -z "$notAfter" ]
	then
	echo "Error: Can not check expiration date of tls secret $namespace/$secret"
	continue
	fi

	dateString=$(echo $notAfter \| sed -e 's/notAfter=//')
	target_timestamp=$(date -d "$dateString" +%s)
	current_timestamp=$(date +%s)
	difference=$(expr $target_timestamp - $current_timestamp)

	if [ "$difference" -lt "$warn_in_seconds" ]
	then
	echo "Certificate $namespace/$secret expires on $dateString"
	fi
	done
	done