Report Metrics on URI and IPAddress Certs

Some client authentication certs do not have DNS subject alt names and thus go un-reported by the current BuildBarn tls certificate expiry reporting. This change adds additional labels for URI and IP address SANs so expiry can be reported for such certs.
buildbarn · Aug 15, 2024 · 31e7018 · 31e7018
1 parent 3f5e30c
commit 31e7018
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/pkg/util/tls.go b/pkg/util/tls.go
@@ -31,15 +31,15 @@ var (
 			Name:      "certificate_not_before_time_seconds",
 			Help:      "The value of the \"Not Before\" field of the TLS certificate.",
 		},
-		[]string{"dns_name", "certificate_usage"})
+		[]string{"dns_name", "uri", "ip_address", "certificate_usage"})
 	tlsCertificateNotAfterTimeSeconds = prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: "buildbarn",
 			Subsystem: "tls",
 			Name:      "certificate_not_after_time_seconds",
 			Help:      "The value of the \"Not After\" field of the TLS certificate.",
 		},
-		[]string{"dns_name", "certificate_usage"})
+		[]string{"dns_name", "uri", "ip_address", "certificate_usage"})
 )
 
 func init() {
@@ -74,8 +74,18 @@ func updateTLSCertificateExpiry(cert *tls.Certificate, certificateUsage string)
 		return err
 	}
 	for _, dnsName := range leaf.DNSNames {
-		tlsCertificateNotBeforeTimeSeconds.WithLabelValues(dnsName, certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9)
-		tlsCertificateNotAfterTimeSeconds.WithLabelValues(dnsName, certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9)
+		tlsCertificateNotBeforeTimeSeconds.WithLabelValues(dnsName, "", "", certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9)
+		tlsCertificateNotAfterTimeSeconds.WithLabelValues(dnsName, "", "", certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9)
+	}
+	for _, uri := range leaf.URIs {
+		uriStr := uri.String()
+		tlsCertificateNotBeforeTimeSeconds.WithLabelValues("", uriStr, "", certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9)
+		tlsCertificateNotAfterTimeSeconds.WithLabelValues("", uriStr, "", certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9)
+	}
+	for _, ip := range leaf.IPAddresses {
+		ipStr := ip.String()
+		tlsCertificateNotBeforeTimeSeconds.WithLabelValues("", "", ipStr, certificateUsage).Set(float64(leaf.NotBefore.UnixNano()) / 1e9)
+		tlsCertificateNotAfterTimeSeconds.WithLabelValues("", "", ipStr, certificateUsage).Set(float64(leaf.NotAfter.UnixNano()) / 1e9)
 	}
 	return nil
 }