telegraf/plugins/inputs/kube_inventory/certificate.go

package kube_inventory

import (
	"context"
	"crypto/x509"
	"encoding/pem"
	"strings"
	"time"

	corev1 "k8s.io/api/core/v1"

	"github.com/influxdata/telegraf"
)

func collectSecrets(ctx context.Context, acc telegraf.Accumulator, ki *KubernetesInventory) {
	list, err := ki.client.getTLSSecrets(ctx)
	if err != nil {
		acc.AddError(err)
		return
	}
	for _, i := range list.Items {
		gatherCertificates(i, acc)
	}
}

func getFields(cert *x509.Certificate, now time.Time) map[string]interface{} {
	age := int(now.Sub(cert.NotBefore).Seconds())
	expiry := int(cert.NotAfter.Sub(now).Seconds())
	startdate := cert.NotBefore.Unix()
	enddate := cert.NotAfter.Unix()

	fields := map[string]interface{}{
		"age":       age,
		"expiry":    expiry,
		"startdate": startdate,
		"enddate":   enddate,
	}

	return fields
}

func getTags(cert *x509.Certificate) map[string]string {
	tags := map[string]string{
		"common_name":          cert.Subject.CommonName,
		"signature_algorithm":  cert.SignatureAlgorithm.String(),
		"public_key_algorithm": cert.PublicKeyAlgorithm.String(),
	}
	tags["issuer_common_name"] = cert.Issuer.CommonName

	san := append(cert.DNSNames, cert.EmailAddresses...)
	for _, ip := range cert.IPAddresses {
		san = append(san, ip.String())
	}
	for _, uri := range cert.URIs {
		san = append(san, uri.String())
	}
	tags["san"] = strings.Join(san, ",")

	return tags
}

func gatherCertificates(r corev1.Secret, acc telegraf.Accumulator) {
	now := time.Now()

	for resourceName, val := range r.Data {
		if resourceName != "tls.crt" {
			continue
		}
		block, _ := pem.Decode(val)
		if block == nil {
			return
		}
		cert, err := x509.ParseCertificate(block.Bytes)
		if err != nil {
			return
		}
		fields := getFields(cert, now)
		tags := getTags(cert)
		tags["name"] = r.Name
		tags["namespace"] = r.Namespace
		opts := x509.VerifyOptions{
			KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
		}
		_, err = cert.Verify(opts)
		if err == nil {
			tags["verification"] = "valid"
			fields["verification_code"] = 0
		} else {
			tags["verification"] = "invalid"
			fields["verification_code"] = 1
		}
		acc.AddFields(certificateMeasurement, fields, tags)
	}
}
Adding upstream version 1.34.4. Signed-off-by: Daniel Baumann <daniel@debian.org> 2025-05-24 07:26:29 +02:00			`package kube_inventory`

			`import (`
			`"context"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"strings"`
			`"time"`

			`corev1 "k8s.io/api/core/v1"`

			`"github.com/influxdata/telegraf"`
			`)`

			`func collectSecrets(ctx context.Context, acc telegraf.Accumulator, ki *KubernetesInventory) {`
			`list, err := ki.client.getTLSSecrets(ctx)`
			`if err != nil {`
			`acc.AddError(err)`
			`return`
			`}`
			`for _, i := range list.Items {`
			`gatherCertificates(i, acc)`
			`}`
			`}`

			`func getFields(cert *x509.Certificate, now time.Time) map[string]interface{} {`
			`age := int(now.Sub(cert.NotBefore).Seconds())`
			`expiry := int(cert.NotAfter.Sub(now).Seconds())`
			`startdate := cert.NotBefore.Unix()`
			`enddate := cert.NotAfter.Unix()`

			`fields := map[string]interface{}{`
			`"age": age,`
			`"expiry": expiry,`
			`"startdate": startdate,`
			`"enddate": enddate,`
			`}`

			`return fields`
			`}`

			`func getTags(cert *x509.Certificate) map[string]string {`
			`tags := map[string]string{`
			`"common_name": cert.Subject.CommonName,`
			`"signature_algorithm": cert.SignatureAlgorithm.String(),`
			`"public_key_algorithm": cert.PublicKeyAlgorithm.String(),`
			`}`
			`tags["issuer_common_name"] = cert.Issuer.CommonName`

			`san := append(cert.DNSNames, cert.EmailAddresses...)`
			`for _, ip := range cert.IPAddresses {`
			`san = append(san, ip.String())`
			`}`
			`for _, uri := range cert.URIs {`
			`san = append(san, uri.String())`
			`}`
			`tags["san"] = strings.Join(san, ",")`

			`return tags`
			`}`

			`func gatherCertificates(r corev1.Secret, acc telegraf.Accumulator) {`
			`now := time.Now()`

			`for resourceName, val := range r.Data {`
			`if resourceName != "tls.crt" {`
			`continue`
			`}`
			`block, _ := pem.Decode(val)`
			`if block == nil {`
			`return`
			`}`
			`cert, err := x509.ParseCertificate(block.Bytes)`
			`if err != nil {`
			`return`
			`}`
			`fields := getFields(cert, now)`
			`tags := getTags(cert)`
			`tags["name"] = r.Name`
			`tags["namespace"] = r.Namespace`
			`opts := x509.VerifyOptions{`
			`KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},`
			`}`
			`_, err = cert.Verify(opts)`
			`if err == nil {`
			`tags["verification"] = "valid"`
			`fields["verification_code"] = 0`
			`} else {`
			`tags["verification"] = "invalid"`
			`fields["verification_code"] = 1`
			`}`
			`acc.AddFields(certificateMeasurement, fields, tags)`
			`}`
			`}`