TLS (X.509) certificates can be stored directly in a Kubernetes cluster using secrets. In this article you will find a nifty bash one-liner which allows you to examine the expiration dates of such certificates.

The one-liner

The one-liner is as follows:

$ kubectl -n <namespace> get secret <name of secret> -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -enddate -noout

The one-liner makes use of jq. It is a command-line JSON processor. As of now all major Linux distributions provide packages of it in their standard package repositories. To install jq under Debian you can use e.g. the following command: $ sudo apt install jq.

The other commands (base64 and openssl) should be already available under normal circumstances when running a recent Linux distribution.

Example

So now let’s try to actually check the expiration date of a certificate. First we let kubectl list all secrets in the ingress namespace of a Kubernets cluster:

$ kubectl -n ingress get secret

NAME                                      TYPE                                  DATA   AGE
<...>
tls-secret                                kubernetes.io/tls                     3      12d 

Then we execute the actual one-liner.

$ kubectl -n ingress get secret tls-secret -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -enddate -noout

notAfter=May 25 21:15:00 2022 GMT

The certificate tls-secret will be valid until May 25 21:15:00 2022 GMT. Certificate management inside Kubernetes can be automated using cert-manager by the way.