Instrument nginx to expose metric "ssl certficate expiration time "
Add a console warning message 10 days before the certificate expire
This commit is contained in:
Giancarlo Rubio
parent
e258ee19d1
commit
d9cf043552
5 changed files with 41 additions and 3 deletions
|
|
@ -380,6 +380,7 @@ func (ic *GenericController) syncIngress(key interface{}) error {
|
||||||
|
|
||||||
upstreams, servers := ic.getBackendServers()
|
upstreams, servers := ic.getBackendServers()
|
||||||
var passUpstreams []*ingress.SSLPassthroughBackend
|
var passUpstreams []*ingress.SSLPassthroughBackend
|
||||||
|
|
||||||
for _, server := range servers {
|
for _, server := range servers {
|
||||||
if !server.SSLPassthrough {
|
if !server.SSLPassthrough {
|
||||||
continue
|
continue
|
||||||
|
|
@ -416,6 +417,7 @@ func (ic *GenericController) syncIngress(key interface{}) error {
|
||||||
|
|
||||||
glog.Infof("ingress backend successfully reloaded...")
|
glog.Infof("ingress backend successfully reloaded...")
|
||||||
incReloadCount()
|
incReloadCount()
|
||||||
|
setSSLExpireTime(servers)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
@ -1008,6 +1010,12 @@ func (ic *GenericController) createServers(data []interface{},
|
||||||
if isHostValid(host, cert) {
|
if isHostValid(host, cert) {
|
||||||
servers[host].SSLCertificate = cert.PemFileName
|
servers[host].SSLCertificate = cert.PemFileName
|
||||||
servers[host].SSLPemChecksum = cert.PemSHA
|
servers[host].SSLPemChecksum = cert.PemSHA
|
||||||
|
servers[host].SSLExpireTime = cert.ExpireTime
|
||||||
|
|
||||||
|
if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
|
||||||
|
glog.Warningf("ssl certificate for host %v is about to expire in 10 days", host)
|
||||||
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
|
glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -18,17 +18,22 @@ package controller
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/prometheus/client_golang/prometheus"
|
"github.com/prometheus/client_golang/prometheus"
|
||||||
|
"k8s.io/ingress/core/pkg/ingress"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
ns = "ingress_controller"
|
ns = "ingress_controller"
|
||||||
operation = "count"
|
operation = "count"
|
||||||
reloadLabel = "reloads"
|
reloadLabel = "reloads"
|
||||||
|
sslLabelExpire = "ssl_expire_time_seconds"
|
||||||
|
sslLabelHost = "host"
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
prometheus.MustRegister(reloadOperation)
|
prometheus.MustRegister(reloadOperation)
|
||||||
prometheus.MustRegister(reloadOperationErrors)
|
prometheus.MustRegister(reloadOperationErrors)
|
||||||
|
prometheus.MustRegister(sslExpireTime)
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
|
@ -48,6 +53,15 @@ var (
|
||||||
},
|
},
|
||||||
[]string{operation},
|
[]string{operation},
|
||||||
)
|
)
|
||||||
|
sslExpireTime = prometheus.NewGaugeVec(
|
||||||
|
prometheus.GaugeOpts{
|
||||||
|
Namespace: ns,
|
||||||
|
Name: sslLabelExpire,
|
||||||
|
Help: "Number of seconds since 1970 to the SSL Certificate expire. An example to check if this " +
|
||||||
|
"certificate will expire in 10 days is: \"ingress_controller_ssl_expire_time_seconds < (time() + (10 * 24 * 3600))\"",
|
||||||
|
},
|
||||||
|
[]string{sslLabelHost},
|
||||||
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
func incReloadCount() {
|
func incReloadCount() {
|
||||||
|
|
@ -57,3 +71,11 @@ func incReloadCount() {
|
||||||
func incReloadErrorCount() {
|
func incReloadErrorCount() {
|
||||||
reloadOperationErrors.WithLabelValues(reloadLabel).Inc()
|
reloadOperationErrors.WithLabelValues(reloadLabel).Inc()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func setSSLExpireTime(servers []*ingress.Server) {
|
||||||
|
|
||||||
|
for _, s := range servers {
|
||||||
|
sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLExpireTime.Unix()))
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ package ingress
|
||||||
import (
|
import (
|
||||||
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// BackendByNameServers sorts upstreams by name
|
// BackendByNameServers sorts upstreams by name
|
||||||
|
|
@ -79,6 +80,8 @@ type SSLCert struct {
|
||||||
PemSHA string `json:"pemSha"`
|
PemSHA string `json:"pemSha"`
|
||||||
// CN contains all the common names defined in the SSL certificate
|
// CN contains all the common names defined in the SSL certificate
|
||||||
CN []string `json:"cn"`
|
CN []string `json:"cn"`
|
||||||
|
// ExpiresTime contains the expiration of this SSL certificate in timestamp format
|
||||||
|
ExpireTime time.Time `json:"expires"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetObjectKind implements the ObjectKind interface as a noop
|
// GetObjectKind implements the ObjectKind interface as a noop
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@ import (
|
||||||
"k8s.io/ingress/core/pkg/ingress/defaults"
|
"k8s.io/ingress/core/pkg/ingress/defaults"
|
||||||
"k8s.io/ingress/core/pkg/ingress/resolver"
|
"k8s.io/ingress/core/pkg/ingress/resolver"
|
||||||
"k8s.io/ingress/core/pkg/ingress/store"
|
"k8s.io/ingress/core/pkg/ingress/store"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
|
@ -203,6 +204,8 @@ type Server struct {
|
||||||
SSLPassthrough bool `json:"sslPassthrough"`
|
SSLPassthrough bool `json:"sslPassthrough"`
|
||||||
// SSLCertificate path to the SSL certificate on disk
|
// SSLCertificate path to the SSL certificate on disk
|
||||||
SSLCertificate string `json:"sslCertificate"`
|
SSLCertificate string `json:"sslCertificate"`
|
||||||
|
// SSLExpireTime has the expire date of this certificate
|
||||||
|
SSLExpireTime time.Time `json:"sslExpireTime"`
|
||||||
// SSLPemChecksum returns the checksum of the certificate file on disk.
|
// SSLPemChecksum returns the checksum of the certificate file on disk.
|
||||||
// There is no restriction in the hash generator. This checksim can be
|
// There is no restriction in the hash generator. This checksim can be
|
||||||
// used to determine if the secret changed without the use of file
|
// used to determine if the secret changed without the use of file
|
||||||
|
|
|
||||||
|
|
@ -131,6 +131,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
|
||||||
PemFileName: pemFileName,
|
PemFileName: pemFileName,
|
||||||
PemSHA: PemSHA1(pemFileName),
|
PemSHA: PemSHA1(pemFileName),
|
||||||
CN: cn,
|
CN: cn,
|
||||||
|
ExpireTime: pemCert.NotAfter,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -138,6 +139,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
|
||||||
PemFileName: pemFileName,
|
PemFileName: pemFileName,
|
||||||
PemSHA: PemSHA1(pemFileName),
|
PemSHA: PemSHA1(pemFileName),
|
||||||
CN: cn,
|
CN: cn,
|
||||||
|
ExpireTime: pemCert.NotAfter,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue