From 31e70186c5e161c0bdb937d569a8a4c363fd7b5d Mon Sep 17 00:00:00 2001 From: Jack Beasley Date: Tue, 13 Aug 2024 15:37:57 -0700 Subject: [PATCH] Report Metrics on URI and IPAddress Certs Some client authentication certs do not have DNS subject alt names and thus go un-reported by the current BuildBarn tls certificate expiry reporting. This change adds additional labels for URI and IP address SANs so expiry can be reported for such certs. --- pkg/util/tls.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/pkg/util/tls.go b/pkg/util/tls.go index f7a932d5..d9b26672 100644 --- a/pkg/util/tls.go +++ b/pkg/util/tls.go @@ -31,7 +31,7 @@ var ( Name: "certificate_not_before_time_seconds", Help: "The value of the \"Not Before\" field of the TLS certificate.", }, - []string{"dns_name", "certificate_usage"}) + []string{"dns_name", "uri", "ip_address", "certificate_usage"}) tlsCertificateNotAfterTimeSeconds = prometheus.NewGaugeVec( prometheus.GaugeOpts{ Namespace: "buildbarn", @@ -39,7 +39,7 @@ var ( Name: "certificate_not_after_time_seconds", Help: "The value of the \"Not After\" field of the TLS certificate.", }, - []string{"dns_name", "certificate_usage"}) + []string{"dns_name", "uri", "ip_address", "certificate_usage"}) ) func init() { @@ -74,8 +74,18 @@ func updateTLSCertificateExpiry(cert *tls.Certificate, certificateUsage string) return err } for _, dnsName := range leaf.DNSNames { - tlsCertificateNotBeforeTimeSeconds.WithLabelValues(dnsName, certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9) - tlsCertificateNotAfterTimeSeconds.WithLabelValues(dnsName, certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9) + tlsCertificateNotBeforeTimeSeconds.WithLabelValues(dnsName, "", "", certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9) + tlsCertificateNotAfterTimeSeconds.WithLabelValues(dnsName, "", "", certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9) + } + for _, uri := range leaf.URIs { + uriStr := uri.String() + tlsCertificateNotBeforeTimeSeconds.WithLabelValues("", uriStr, "", certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9) + tlsCertificateNotAfterTimeSeconds.WithLabelValues("", uriStr, "", certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9) + } + for _, ip := range leaf.IPAddresses { + ipStr := ip.String() + tlsCertificateNotBeforeTimeSeconds.WithLabelValues("", "", ipStr, certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9) + tlsCertificateNotAfterTimeSeconds.WithLabelValues("", "", ipStr, certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9) } return nil }