search

amimof / node-cert-exporter

An SSL certificate Prometheus exporter
Apache License 2.0
172 stars 34 forks source link

Differences in binaries and docker execution #66

Open edPuig opened 2 years ago

edPuig commented 2 years ago

I'm facing a trouble while i'm executing node-cert-exporter in binary version, following the instructions in the documentation. If I run the docker version I can see in the Grafana dashboard the same that's shown in the documentation's image, but I don't want to run node-cert-exporter in docker version, but binary version. And when I do that I see a bunch of certificates, which are out of the path that I passed with --include-glob parameter.

What I execute: node-cert-exporter --include-glob /etc/letsencrypt/live/*/*.pem 👆 that directory contains a dir (my_site) and inside it three .pem files (file1.pem, file2.pem, file3.pem)

what I want to see: (something similar with my certificates, which i can see with docker version) image

what I actually see image

Additional information:

Output of node-cert-exporter --version:

Version: v1.1.2
Commit: 8f826938657045cc01887f45aa4a89409954a348
Branch: HEAD
GoVersion: 1.15.15

Additional environment details:

OS: Ubuntu 20.04

amimof commented 2 years ago

@EdelenP Thanks for reporting 👏

The container version in docker hub is behind one version 1.1.1 because the image registry is now hosted in GitHub packages. I haven't updated the documentation yet. Will do that ASAP. Version 1.1.2 (the one you are running) doesn't introduce any code changes. Only CI/CD stuff.

Are you seeing your certificates AND the additional ones under etc/? Might be that there is a symlink under /etc/letsencrypt/live/ that resolves to /etc. Can you please check?

dracorp commented 2 years ago

@amimof I have the similar issue. There is difference between binary and docker version. I've copied AKS certificates to my laptop to /etc/kubernetes/certs and run node-cert-exporter in v1.1.2 version:

./node-cert-exporter --logtostderr=true -v=10 --include-glob /etc/kubernetes/certs/apiserver.crt

which generates metrics:

# TYPE ssl_certificate_expiry_seconds gauge
ssl_certificate_expiry_seconds{alg="SHA256-RSA",dns_names="localhost,hcp-kubernetes,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local,hcp-kubernetes.5da073ea569f243234028165.svc.cluster.local,aks-cicd-d-westeurope.azmk8s.io",email_addresses="",hostname="myhosname",issuer="CN=ca",nodename="",path="/etc/kubernetes/certs/apiserver.crt",subject="CN=apiserver",version="3"} 4.1735623456093e+07

But docker version of node-cert-exporter:v1.1.2 for arguments:

- "--v=10"
- "--logtostderr=true"
- "--include-glob='/host/etc/kubernetes/certs/apiserver.crt'"

generates: obraz

Why? I want to monitor only apiserver.crt. With standalone --path argument, it works goods but scans whole directory. In logs I see that it scan whole filesystem.

I0520 06:24:25.035256       1 main.go:70] Listening on :9117
W0520 06:24:52.210993       1 exporter.go:111] Couldn't open proc/1/fd/8: lstat proc/1/fd/8: no such file or directory
W0520 06:24:52.258372       1 exporter.go:111] Couldn't open proc/1/fdinfo/8: lstat proc/1/fdinfo/8: no such file or directory
...

Ps. Why it does not work in docker (missing =):

unknown flag: --include-glob '/host/etc/kubernetes/certs/apiserver.crt'

but works well for binary execution.

dracorp commented 2 years ago

Ok, I see the same problem is with binary if I run from /. It scans whole filesystem:

I0523 07:36:10.502281   61482 main.go:70] Listening on :9117
W0523 07:37:44.309107   61482 exporter.go:111] Couldn't open Library/Application Support/Apple/AssetCache/Data: open Library/Application Support/Apple/AssetCache/Data: permission denied
W0523 07:37:44.386553   61482 exporter.go:111] Couldn't open Library/Application Support/Apple/ParentalControls/Users: open Library/Application Support/Apple/ParentalControls/Users: permission denied
W0523 07:37:44.863951   61482 exporter.go:111] Couldn't open Library/Application Support/Apple/Remote Desktop/Client: open Library/Application Support/Apple/Remote Desktop/Client: permission denied
W0523 07:37:44.865378   61482 exporter.go:111] Couldn't open Library/Application Support/Apple/Remote Desktop/Task Server: open Library/Application Support/Apple/Remote Desktop/Task Server: permission denied
W0523 07:37:44.866465   61482 exporter.go:111] Couldn't open Library/Application Support/Apple/Screen Sharing/Keys: open Library/Application Support/Apple/Screen Sharing/Keys: permission denied

The --path and --include-glob options can work together:

An error has occurred while serving metrics:

collected metric "ssl_certificate_expiry_seconds" { label:<name:"alg" value:"SHA256-RSA" > label:<name:"dns_names" value:"localhost,hcp-kubernetes,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local,...." > label:<name:"email_addresses" value:"" > label:<name:"hostname" value:"hostname" > label:<name:"issuer" value:"CN=ca" > label:<name:"nodename" value:"" > label:<name:"path" value:"/etc/kubernetes/certs/apiserver.crt" > label:<name:"subject" value:"CN=apiserver" > label:<name:"version" value:"3" > gauge:<value:4.1476502280559e+07 > } was collected before with the same name and label values
dracorp commented 2 years ago

Also this works for cmd:

--path=/etc/kubernetes/certs --exclude-glob='/etc/kubernetes/certs/[kc]*.crt'

but does not work for k8s. I don't have idea how to monitor only apiserver.crt. I also tried with modified Dockerfile with another WORKDIR.