metrics to check certificate expiry for istio workloads ?

[anannaya]

s there any metrics get cert exipry for istio workloads ? I can only get the istiod and rootCA/intermedia CA from the certmanager_certificate_expiration_timestamp_seconds metric.

[JoshVanL]

Hi @anannaya, AKAIK istio only exposes the following Prometheus metric, which is not very useful for certificates that are signed with a TTL =< 24h.

# TYPE envoy_server_days_until_first_cert_expiring gauge
envoy_server_days_until_first_cert_expiring{} 0

What is the objective of getting this metric? Perhaps there may be other metrics which indicate the same behaviour, such as cert_manager_istio_csr_tls_provider_certificate_requests on istio-csr.