emit metrics for peer certificates, server certificate and fix functi…

…on name
cloudflare · Jul 8, 2020 · b490db3 · b490db3
1 parent cd1c948
commit b490db3
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 12 deletions.
diff --git a/certmetrics/metrics.go b/certmetrics/metrics.go
@@ -21,27 +21,30 @@ var certificateExpirationTimes = promauto.NewGaugeVec(
 // Observe takes in a list of certs and emits its expiration times
 func Observe(certs ...*x509.Certificate) {
 	for _, cert := range certs {
-		hostnames := cert.DNSNames
-		sort.Strings(hostnames)
-		labels := prometheus.Labels{
-			"serial_no": cert.SerialNumber.String(),
-			"cn":        cert.Subject.CommonName,
-			"hostnames": strings.Join(hostnames, ","),
-			"ca":        boolToBinaryString(cert.IsCA),
-			"server":    containsKeyUsage(cert.ExtKeyUsage, x509.ExtKeyUsageServerAuth),
-			"client":    containsKeyUsage(cert.ExtKeyUsage, x509.ExtKeyUsageClientAuth)}
-		certificateExpirationTimes.With(labels).Set(float64(cert.NotAfter.Unix()))
+		certificateExpirationTimes.With(getPrometheusLabels(cert)).Set(float64(cert.NotAfter.Unix()))
 	}
 }
 
+func getPrometheusLabels(cert *x509.Certificate) prometheus.Labels {
+	hostnames := append([]string(nil), cert.DNSNames...)
+	sort.Strings(hostnames)
+	return prometheus.Labels{
+		"serial_no": cert.SerialNumber.String(),
+		"cn":        cert.Subject.CommonName,
+		"hostnames": strings.Join(hostnames, ","),
+		"ca":        boolToBinaryString(cert.IsCA),
+		"server":    hasKeyUsageAsBinaryString(cert.ExtKeyUsage, x509.ExtKeyUsageServerAuth),
+		"client":    hasKeyUsageAsBinaryString(cert.ExtKeyUsage, x509.ExtKeyUsageClientAuth)}
+}
+
 func boolToBinaryString(val bool) string {
 	if val {
 		return "1"
 	}
 	return "0"
 }
 
-func containsKeyUsage(a []x509.ExtKeyUsage, x x509.ExtKeyUsage) string {
+func hasKeyUsageAsBinaryString(a []x509.ExtKeyUsage, x x509.ExtKeyUsage) string {
 	for _, e := range a {
 		if e == x || e == x509.ExtKeyUsageAny {
 			return "1"

diff --git a/cmd/gokeyless/gokeyless.go b/cmd/gokeyless/gokeyless.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/cloudflare/cfssl/helpers"
 	"github.com/cloudflare/cfssl/log"
+	"github.com/cloudflare/gokeyless/certmetrics"
 	"github.com/cloudflare/gokeyless/server"
 )
 
@@ -272,7 +273,8 @@ func main() {
 			f.Close()
 		}
 	}
-
+	certs := gatherCerts()
+	certmetrics.Observe(certs...)
 	go func() {
 		log.Critical(s.MetricsListenAndServe(net.JoinHostPort("", strconv.Itoa(config.MetricsPort))))
 	}()
@@ -393,3 +395,36 @@ func verifyCSRAndKey() bool {
 
 	return true
 }
+
+// pemCertsFromFile reads PEM format certificates from a file.
+func pemCertsFromFile(path string) []*x509.Certificate {
+	file, err := os.Open(path)
+	if err != nil {
+		log.Fatal(err)
+	}
+	pemData, err := ioutil.ReadAll(file)
+	if err != nil {
+		log.Fatal(err)
+	}
+	certs, err := helpers.ParseCertificatesPEM(pemData)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return certs
+}
+
+func gatherCerts() []*x509.Certificate {
+	certPaths := []string{
+		config.CertFile,
+		config.CACertFile,
+	}
+	var allCerts []*x509.Certificate
+	for _, cPath := range certPaths {
+		if cPath == "" {
+			continue
+		}
+		pemCerts := pemCertsFromFile(cPath)
+		allCerts = append(allCerts, pemCerts...)
+	}
+	return allCerts
+}