Adding upstream version 1.34.4.
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
parent
e393c3af3f
commit
4978089aab
GPG key ID:
FBB4F0E80A80222F
4963 changed files with 677545 additions and 0 deletions
94
plugins/inputs/kube_inventory/certificate.go
Normal file
94
plugins/inputs/kube_inventory/certificate.go
Normal file
|
|
@ -0,0 +1,94 @@
|
|||
package kube_inventory
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
||||
"github.com/influxdata/telegraf"
|
||||
)
|
||||
|
||||
func collectSecrets(ctx context.Context, acc telegraf.Accumulator, ki *KubernetesInventory) {
|
||||
list, err := ki.client.getTLSSecrets(ctx)
|
||||
if err != nil {
|
||||
acc.AddError(err)
|
||||
return
|
||||
}
|
||||
for _, i := range list.Items {
|
||||
gatherCertificates(i, acc)
|
||||
}
|
||||
}
|
||||
|
||||
func getFields(cert *x509.Certificate, now time.Time) map[string]interface{} {
|
||||
age := int(now.Sub(cert.NotBefore).Seconds())
|
||||
expiry := int(cert.NotAfter.Sub(now).Seconds())
|
||||
startdate := cert.NotBefore.Unix()
|
||||
enddate := cert.NotAfter.Unix()
|
||||
|
||||
fields := map[string]interface{}{
|
||||
"age": age,
|
||||
"expiry": expiry,
|
||||
"startdate": startdate,
|
||||
"enddate": enddate,
|
||||
}
|
||||
|
||||
return fields
|
||||
}
|
||||
|
||||
func getTags(cert *x509.Certificate) map[string]string {
|
||||
tags := map[string]string{
|
||||
"common_name": cert.Subject.CommonName,
|
||||
"signature_algorithm": cert.SignatureAlgorithm.String(),
|
||||
"public_key_algorithm": cert.PublicKeyAlgorithm.String(),
|
||||
}
|
||||
tags["issuer_common_name"] = cert.Issuer.CommonName
|
||||
|
||||
san := append(cert.DNSNames, cert.EmailAddresses...)
|
||||
for _, ip := range cert.IPAddresses {
|
||||
san = append(san, ip.String())
|
||||
}
|
||||
for _, uri := range cert.URIs {
|
||||
san = append(san, uri.String())
|
||||
}
|
||||
tags["san"] = strings.Join(san, ",")
|
||||
|
||||
return tags
|
||||
}
|
||||
|
||||
func gatherCertificates(r corev1.Secret, acc telegraf.Accumulator) {
|
||||
now := time.Now()
|
||||
|
||||
for resourceName, val := range r.Data {
|
||||
if resourceName != "tls.crt" {
|
||||
continue
|
||||
}
|
||||
block, _ := pem.Decode(val)
|
||||
if block == nil {
|
||||
return
|
||||
}
|
||||
cert, err := x509.ParseCertificate(block.Bytes)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
fields := getFields(cert, now)
|
||||
tags := getTags(cert)
|
||||
tags["name"] = r.Name
|
||||
tags["namespace"] = r.Namespace
|
||||
opts := x509.VerifyOptions{
|
||||
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
||||
}
|
||||
_, err = cert.Verify(opts)
|
||||
if err == nil {
|
||||
tags["verification"] = "valid"
|
||||
fields["verification_code"] = 0
|
||||
} else {
|
||||
tags["verification"] = "invalid"
|
||||
fields["verification_code"] = 1
|
||||
}
|
||||
acc.AddFields(certificateMeasurement, fields, tags)
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue