Expose Prometheus metrics for expiring 1Password items #228
Description
Summary
Expose Prometheus metrics that describe the expiry state of synced 1Password items.
This would allow operations teams to track and alert on credentials nearing expiry using their existing monitoring and alerting systems.
Use cases
Operations teams often rely on 1Password items as the source of truth for credentials automatically synced into Kubernetes.
Currently, expiry information is only visible in the 1Password Watchtower, making it difficult to integrate expiry monitoring into standard alerting pipelines (e.g., Prometheus + Alertmanager).
By exposing expiry-related metrics, teams could:
- Detect items expiring within specific time windows (e.g., 7 days).
- Aggregate expiry data across clusters or namespaces.
- Automate renewal workflows before credentials expire.
- Gain centralized visibility into expiring secrets without accessing the Watchtower UI.
Proposed solution
Extend the existing metrics exported by the 1Password Kubernetes Operator to include expiry-related data for synced items.
Example metrics could include:
| Metric | Type | Description |
|---|---|---|
op_k8s_items_with_expiry_total |
Gauge | Number of synced items containing an expiry date |
op_k8s_items_expiring_total{le} |
Histogram | Count of items expiring within predefined time windows (e.g., 1 d, 3 d, 7 d, 14 d, 30 d) |
op_k8s_items_expired_total |
Counter | Total number of items that have already expired |
op_k8s_item_time_to_expiry_seconds{namespace, vault, item_uuid} (optional) |
Gauge | Remaining lifetime of each item (for detailed alerting) |
Is there a workaround to accomplish this today?
Not directly.
The expiry field is already synced by the operator and could theoretically be queried from the resulting Kubernetes Secrets or ConfigMaps, but that would require custom scripting or a separate exporter. No native metrics or standardized solution exist today.