Skip to content

Commit

Permalink
Instrument nginx to expose metric "ssl certficate expiration time "
Browse files Browse the repository at this point in the history
Add a console warning message 10 days before the certificate expire
  • Loading branch information
gianrubio committed Jun 13, 2017
1 parent e258ee1 commit d9cf043
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 3 deletions.
8 changes: 8 additions & 0 deletions core/pkg/ingress/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,7 @@ func (ic *GenericController) syncIngress(key interface{}) error {

upstreams, servers := ic.getBackendServers()
var passUpstreams []*ingress.SSLPassthroughBackend

for _, server := range servers {
if !server.SSLPassthrough {
continue
Expand Down Expand Up @@ -416,6 +417,7 @@ func (ic *GenericController) syncIngress(key interface{}) error {

glog.Infof("ingress backend successfully reloaded...")
incReloadCount()
setSSLExpireTime(servers)

return nil
}
Expand Down Expand Up @@ -1008,6 +1010,12 @@ func (ic *GenericController) createServers(data []interface{},
if isHostValid(host, cert) {
servers[host].SSLCertificate = cert.PemFileName
servers[host].SSLPemChecksum = cert.PemSHA
servers[host].SSLExpireTime = cert.ExpireTime

if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
glog.Warningf("ssl certificate for host %v is about to expire in 10 days", host)
}

} else {
glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
}
Expand Down
28 changes: 25 additions & 3 deletions core/pkg/ingress/controller/metrics.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,22 @@ package controller

import (
"github.com/prometheus/client_golang/prometheus"
"k8s.io/ingress/core/pkg/ingress"
)

const (
ns = "ingress_controller"
operation = "count"
reloadLabel = "reloads"
ns = "ingress_controller"
operation = "count"
reloadLabel = "reloads"
sslLabelExpire = "ssl_expire_time_seconds"
sslLabelHost = "host"
)

func init() {
prometheus.MustRegister(reloadOperation)
prometheus.MustRegister(reloadOperationErrors)
prometheus.MustRegister(sslExpireTime)

}

var (
Expand All @@ -48,6 +53,15 @@ var (
},
[]string{operation},
)
sslExpireTime = prometheus.NewGaugeVec(
prometheus.GaugeOpts{
Namespace: ns,
Name: sslLabelExpire,
Help: "Number of seconds since 1970 to the SSL Certificate expire. An example to check if this " +
"certificate will expire in 10 days is: \"ingress_controller_ssl_expire_time_seconds < (time() + (10 * 24 * 3600))\"",
},
[]string{sslLabelHost},
)
)

func incReloadCount() {
Expand All @@ -57,3 +71,11 @@ func incReloadCount() {
func incReloadErrorCount() {
reloadOperationErrors.WithLabelValues(reloadLabel).Inc()
}

func setSSLExpireTime(servers []*ingress.Server) {

for _, s := range servers {
sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLExpireTime.Unix()))
}

}
3 changes: 3 additions & 0 deletions core/pkg/ingress/sort_ingress.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package ingress
import (
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"time"
)

// BackendByNameServers sorts upstreams by name
Expand Down Expand Up @@ -79,6 +80,8 @@ type SSLCert struct {
PemSHA string `json:"pemSha"`
// CN contains all the common names defined in the SSL certificate
CN []string `json:"cn"`
// ExpiresTime contains the expiration of this SSL certificate in timestamp format
ExpireTime time.Time `json:"expires"`
}

// GetObjectKind implements the ObjectKind interface as a noop
Expand Down
3 changes: 3 additions & 0 deletions core/pkg/ingress/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
"k8s.io/ingress/core/pkg/ingress/defaults"
"k8s.io/ingress/core/pkg/ingress/resolver"
"k8s.io/ingress/core/pkg/ingress/store"
"time"
)

var (
Expand Down Expand Up @@ -203,6 +204,8 @@ type Server struct {
SSLPassthrough bool `json:"sslPassthrough"`
// SSLCertificate path to the SSL certificate on disk
SSLCertificate string `json:"sslCertificate"`
// SSLExpireTime has the expire date of this certificate
SSLExpireTime time.Time `json:"sslExpireTime"`
// SSLPemChecksum returns the checksum of the certificate file on disk.
// There is no restriction in the hash generator. This checksim can be
// used to determine if the secret changed without the use of file
Expand Down
2 changes: 2 additions & 0 deletions core/pkg/net/ssl/ssl.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,13 +131,15 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
PemFileName: pemFileName,
PemSHA: PemSHA1(pemFileName),
CN: cn,
ExpireTime: pemCert.NotAfter,
}, nil
}

return &ingress.SSLCert{
PemFileName: pemFileName,
PemSHA: PemSHA1(pemFileName),
CN: cn,
ExpireTime: pemCert.NotAfter,
}, nil
}

Expand Down

0 comments on commit d9cf043

Please sign in to comment.