Instrument nginx to expose metric "ssl certficate expiration time "

Add a console warning message 10 days before the certificate expire
2017-06-12 14:45:08 +02:00 · 2017-06-12 14:45:08 +02:00 · d9cf043552
commit d9cf043552
parent e258ee19d1
5 changed files with 41 additions and 3 deletions
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -380,6 +380,7 @@ func (ic *GenericController) syncIngress(key interface{}) error {

 	upstreams, servers := ic.getBackendServers()
 	var passUpstreams []*ingress.SSLPassthroughBackend
+
 	for _, server := range servers {
 		if !server.SSLPassthrough {
 			continue
@ -416,6 +417,7 @@ func (ic *GenericController) syncIngress(key interface{}) error {

 	glog.Infof("ingress backend successfully reloaded...")
 	incReloadCount()
+	setSSLExpireTime(servers)

 	return nil
 }
@ -1008,6 +1010,12 @@ func (ic *GenericController) createServers(data []interface{},
 					if isHostValid(host, cert) {
 						servers[host].SSLCertificate = cert.PemFileName
 						servers[host].SSLPemChecksum = cert.PemSHA
+						servers[host].SSLExpireTime = cert.ExpireTime
+
+						if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
+							glog.Warningf("ssl certificate for host %v is about to expire in 10 days", host)
+						}
+
 					} else {
 						glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
 					}
--- a/core/pkg/ingress/controller/metrics.go
+++ b/core/pkg/ingress/controller/metrics.go
@ -18,17 +18,22 @@ package controller

 import (
 	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/ingress/core/pkg/ingress"
 )

 const (
-	ns          = "ingress_controller"
-	operation   = "count"
-	reloadLabel = "reloads"
+	ns             = "ingress_controller"
+	operation      = "count"
+	reloadLabel    = "reloads"
+	sslLabelExpire = "ssl_expire_time_seconds"
+	sslLabelHost   = "host"
 )

 func init() {
 	prometheus.MustRegister(reloadOperation)
 	prometheus.MustRegister(reloadOperationErrors)
+	prometheus.MustRegister(sslExpireTime)
+
 }

 var (
@ -48,6 +53,15 @@ var (
 		},
 		[]string{operation},
 	)
+	sslExpireTime = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Namespace: ns,
+			Name:      sslLabelExpire,
+			Help:      "Number of seconds since 1970 to the SSL Certificate expire. An example to check if this " +
+				"certificate will expire in 10 days is: \"ingress_controller_ssl_expire_time_seconds < (time() + (10 * 24 * 3600))\"",
+		},
+		[]string{sslLabelHost},
+	)
 )

 func incReloadCount() {
@ -57,3 +71,11 @@ func incReloadCount() {
 func incReloadErrorCount() {
 	reloadOperationErrors.WithLabelValues(reloadLabel).Inc()
 }
+
+func setSSLExpireTime(servers []*ingress.Server) {
+
+	for _, s := range servers {
+		sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLExpireTime.Unix()))
+	}
+
+}