[receiver/tlscheckreceiver] allow scraping all certs

This allows scraping all certificates in a PEM bundle, or all
certificates returned by an endpoint, rather than just the leaf
certificate. It can be useful to monitor which certificates are used in
a bundle, or monitor when intermediate certificates are due to expire.

Signed-off-by: Hugh Cole-Baker <[email protected]>

Author: sigmaris

receiver/tlscheckreceiver/README.md

@@ -21,7 +21,7 @@ By default, the TLS Check Receiver will emit a single metric, `tlscheck.time_lef
 
 ## Example Configuration
 
-Targets are configured as either remote enpoints accessed via TCP, or PEM-encoded certificate files stored locally on disk.
+Targets are configured as either remote enpoints accessed via TCP, or PEM-encoded certificate files stored locally on disk. By default only the first certificate in a file or presented by an endpoint (i.e. the leaf certificate) is monitored. The `scrape_all_certs` option can be used to monitor all certificates in a PEM bundle or all certificates presented by an endpoint.
 
 ```yaml
 receivers:
@@ -30,6 +30,10 @@ receivers:
       # Monitor a local PEM file
       - file_path: /etc/istio/certs/cert-chain.pem
 
+      # Monitor all certificates in a PEM bundle
+      - file_path: /etc/ssl/certs/ca-bundle.crt
+        scrape_all_certs: true
+      
       # Monitor a remote endpoint
       - endpoint: example.com:443
 

receiver/tlscheckreceiver/config.go

@@ -21,6 +21,7 @@ var errInvalidEndpoint = errors.New(`"endpoint" must be in the form of <hostname
 type CertificateTarget struct {
 	confignet.TCPAddrConfig `mapstructure:",squash"`
 	FilePath                string `mapstructure:"file_path"`
+	ScrapeAllCerts          bool   `mapstructure:"scrape_all_certs"`
 
 	// prevent unkeyed literal initialization
 	_ struct{}

receiver/tlscheckreceiver/scraper.go

@@ -109,30 +109,7 @@ func getConnectionState(endpoint string) (tls.ConnectionState, error) {
 	return conn.ConnectionState(), nil
 }
 
-func (s *scraper) scrapeEndpoint(endpoint string, metrics *pmetric.Metrics, wg *sync.WaitGroup, mux *sync.Mutex, errs chan error) {
-	defer wg.Done()
-	if err := validateEndpoint(endpoint); err != nil {
-		s.settings.Logger.Error("Failed to validate endpoint", zap.String("endpoint", endpoint), zap.Error(err))
-		errs <- err
-		return
-	}
-
-	state, err := s.getConnectionState(endpoint)
-	if err != nil {
-		s.settings.Logger.Error("TCP connection error encountered", zap.String("endpoint", endpoint), zap.Error(err))
-		errs <- err
-		return
-	}
-
-	s.settings.Logger.Debug("Peer Certificates", zap.Int("certificates_count", len(state.PeerCertificates)))
-	if len(state.PeerCertificates) == 0 {
-		err := fmt.Errorf("no TLS certificates found for endpoint: %s. Verify the endpoint serves TLS certificates", endpoint)
-		s.settings.Logger.Error(err.Error(), zap.String("endpoint", endpoint))
-		errs <- err
-		return
-	}
-
-	cert := state.PeerCertificates[0]
+func recordOneCert(mb *metadata.MetricsBuilder, now pcommon.Timestamp, cert *x509.Certificate) {
 	issuer := cert.Issuer.String()
 	commonName := cert.Subject.CommonName
 	sans := make([]any, len(cert.DNSNames)+len(cert.IPAddresses)+len(cert.URIs)+len(cert.EmailAddresses))
@@ -160,20 +137,51 @@ func (s *scraper) scrapeEndpoint(endpoint string, metrics *pmetric.Metrics, wg *
 	currentTime := time.Now()
 	timeLeft := cert.NotAfter.Sub(currentTime).Seconds()
 	timeLeftInt := int64(timeLeft)
-	now := pcommon.NewTimestampFromTime(time.Now())
+
+	mb.RecordTlscheckTimeLeftDataPoint(now, timeLeftInt, issuer, commonName, sans)
+}
+
+func (s *scraper) scrapeEndpoint(endpoint string, scrapeAll bool, metrics *pmetric.Metrics, wg *sync.WaitGroup, mux *sync.Mutex, errs chan error) {
+	defer wg.Done()
+	if err := validateEndpoint(endpoint); err != nil {
+		s.settings.Logger.Error("Failed to validate endpoint", zap.String("endpoint", endpoint), zap.Error(err))
+		errs <- err
+		return
+	}
+
+	state, err := s.getConnectionState(endpoint)
+	if err != nil {
+		s.settings.Logger.Error("TCP connection error encountered", zap.String("endpoint", endpoint), zap.Error(err))
+		errs <- err
+		return
+	}
+
+	s.settings.Logger.Debug("Peer Certificates", zap.Int("certificates_count", len(state.PeerCertificates)))
+	if len(state.PeerCertificates) == 0 {
+		err := fmt.Errorf("no TLS certificates found for endpoint: %s. Verify the endpoint serves TLS certificates", endpoint)
+		s.settings.Logger.Error(err.Error(), zap.String("endpoint", endpoint))
+		errs <- err
+		return
+	}
 
 	mux.Lock()
 	defer mux.Unlock()
 
 	mb := metadata.NewMetricsBuilder(s.cfg.MetricsBuilderConfig, s.settings, metadata.WithStartTime(pcommon.NewTimestampFromTime(time.Now())))
 	rb := mb.NewResourceBuilder()
 	rb.SetTlscheckTarget(endpoint)
-	mb.RecordTlscheckTimeLeftDataPoint(now, timeLeftInt, issuer, commonName, sans)
+	now := pcommon.NewTimestampFromTime(time.Now())
+	for _, cert := range state.PeerCertificates {
+		recordOneCert(mb, now, cert)
+		if !scrapeAll {
+			break
+		}
+	}
 	resourceMetrics := mb.Emit(metadata.WithResource(rb.Emit()))
 	resourceMetrics.ResourceMetrics().At(0).MoveTo(metrics.ResourceMetrics().AppendEmpty())
 }
 
-func (s *scraper) scrapeFile(filePath string, metrics *pmetric.Metrics, wg *sync.WaitGroup, mux *sync.Mutex, errs chan error) {
+func (s *scraper) scrapeFile(filePath string, scrapeAll bool, metrics *pmetric.Metrics, wg *sync.WaitGroup, mux *sync.Mutex, errs chan error) {
 	defer wg.Done()
 	if err := validateFilepath(filePath); err != nil {
 		s.settings.Logger.Error("Failed to validate certificate file", zap.String("file_path", filePath), zap.Error(err))
@@ -226,43 +234,19 @@ func (s *scraper) scrapeFile(filePath string, metrics *pmetric.Metrics, wg *sync
 
 	s.settings.Logger.Debug("Found certificates in chain", zap.String("file_path", filePath), zap.Int("count", len(certs)))
 
-	cert := certs[0] // Use the leaf certificate
-	issuer := cert.Issuer.String()
-	commonName := cert.Subject.CommonName
-	sans := make([]any, len(cert.DNSNames)+len(cert.IPAddresses)+len(cert.URIs)+len(cert.EmailAddresses))
-	i := 0
-	for _, ip := range cert.IPAddresses {
-		sans[i] = ip.String()
-		i++
-	}
-
-	for _, uri := range cert.URIs {
-		sans[i] = uri.String()
-		i++
-	}
-
-	for _, dnsName := range cert.DNSNames {
-		sans[i] = dnsName
-		i++
-	}
-
-	for _, emailAddress := range cert.EmailAddresses {
-		sans[i] = emailAddress
-		i++
-	}
-
-	currentTime := time.Now()
-	timeLeft := cert.NotAfter.Sub(currentTime).Seconds()
-	timeLeftInt := int64(timeLeft)
-	now := pcommon.NewTimestampFromTime(time.Now())
-
 	mux.Lock()
 	defer mux.Unlock()
 
 	mb := metadata.NewMetricsBuilder(s.cfg.MetricsBuilderConfig, s.settings, metadata.WithStartTime(pcommon.NewTimestampFromTime(time.Now())))
 	rb := mb.NewResourceBuilder()
 	rb.SetTlscheckTarget(filePath)
-	mb.RecordTlscheckTimeLeftDataPoint(now, timeLeftInt, issuer, commonName, sans)
+	now := pcommon.NewTimestampFromTime(time.Now())
+	for _, cert := range certs {
+		recordOneCert(mb, now, cert)
+		if !scrapeAll {
+			break
+		}
+	}
 	resourceMetrics := mb.Emit(metadata.WithResource(rb.Emit()))
 	resourceMetrics.ResourceMetrics().At(0).MoveTo(metrics.ResourceMetrics().AppendEmpty())
 }
@@ -288,9 +272,9 @@ func (s *scraper) scrape(ctx context.Context) (pmetric.Metrics, error) {
 
 	for _, target := range s.cfg.Targets {
 		if target.FilePath != "" {
-			go s.scrapeFile(target.FilePath, &metrics, &wg, &mux, errChan)
+			go s.scrapeFile(target.FilePath, target.ScrapeAllCerts, &metrics, &wg, &mux, errChan)
 		} else {
-			go s.scrapeEndpoint(target.Endpoint, &metrics, &wg, &mux, errChan)
+			go s.scrapeEndpoint(target.Endpoint, target.ScrapeAllCerts, &metrics, &wg, &mux, errChan)
 		}
 	}
 

receiver/tlscheckreceiver/scraper_test.go

@@ -319,6 +319,7 @@ func TestScrape_ValidFilepathCertificate(t *testing.T) {
 	rm := metrics.ResourceMetrics().At(0)
 	ilms := rm.ScopeMetrics().At(0)
 	metric := ilms.Metrics().At(0)
+	assert.Equal(t, 1, metric.Gauge().DataPoints().Len())
 	dp := metric.Gauge().DataPoints().At(0)
 	target, exists := rm.Resource().Attributes().Get("tlscheck.target")
 	require.True(t, exists)
@@ -336,6 +337,63 @@ func TestScrape_ValidFilepathCertificate(t *testing.T) {
 	assert.Positive(t, timeLeft, "Time left should be positive for a valid cert")
 }
 
+func TestScrape_AllFilepathCertificates(t *testing.T) {
+	caCertFile := createMockCertFile(t, time.Date(2099, 1, 1, 0, 0, 0, 0, time.UTC))
+	cfg := &Config{
+		Targets: []*CertificateTarget{
+			{
+				FilePath:       caCertFile,
+				ScrapeAllCerts: true,
+			},
+		},
+		MetricsBuilderConfig: metadata.DefaultMetricsBuilderConfig(),
+	}
+	factory := receivertest.NewNopFactory()
+	settings := receivertest.NewNopSettings(factory.Type())
+	s := newScraper(cfg, settings, mockGetConnectionStateValid)
+
+	metrics, err := s.scrape(t.Context())
+	require.NoError(t, err)
+	assert.Equal(t, 1, metrics.ResourceMetrics().Len())
+
+	rm := metrics.ResourceMetrics().At(0)
+	ilms := rm.ScopeMetrics().At(0)
+	metric := ilms.Metrics().At(0)
+
+	target, exists := rm.Resource().Attributes().Get("tlscheck.target")
+	require.True(t, exists)
+	assert.Equal(t, caCertFile, target.AsString())
+	assert.Equal(t, 2, metric.Gauge().DataPoints().Len())
+
+	expectedAttrs := []struct {
+		issuer     string
+		commonName string
+	}{
+		{
+			issuer:     "CN=FooIssuer",
+			commonName: "test.example.com",
+		},
+		{
+			issuer:     "CN=FooIssuer",
+			commonName: "FooIssuer",
+		},
+	}
+	for index, attrs := range expectedAttrs {
+		dp := metric.Gauge().DataPoints().At(index)
+
+		// Verify the metric attributes
+		attributes := dp.Attributes()
+		issuer, _ := attributes.Get("tlscheck.x509.issuer")
+		commonName, _ := attributes.Get("tlscheck.x509.cn")
+		assert.Equal(t, attrs.issuer, issuer.AsString(), "Incorrect issuer for target %s", caCertFile)
+		assert.Equal(t, attrs.commonName, commonName.AsString(), "Incorrect common name for target %s", caCertFile)
+
+		// Verify positive time left on cert
+		timeLeft := dp.IntValue()
+		assert.Positive(t, timeLeft, "Time left should be positive for a valid cert")
+	}
+}
+
 func TestValidateEndpoint(t *testing.T) {
 	testCases := []struct {
 		desc        string