search

open-telemetry / opentelemetry-collector-contrib

Contrib repository for the OpenTelemetry Collector
https://opentelemetry.io
Apache License 2.0
3.08k stars 2.38k forks source link

New component: X.509 Certificate Monitoring #33215

Open LucaLanziani opened 5 months ago

LucaLanziani commented 5 months ago

The purpose and use-cases of the new component

This will be a receiver based on the telegraf x509cert plugin code following their license requirement and build and interface on top of it to match the collector interface.

Example configuration for the component

receivers:
  x509cert:
    sources:
      - "tcp://example.org:443"
      - "/etc/kubernetes/pki/etcd/peer.crt"
    timeout: "5s"
    exclude_root_certs: false
    use_proxy: true
    proxy_url: "http://localhost:8888"
    server_name: "myname.example.com"
    # tls:
    #   insecure: false
    #   ca_file: server.crt
    #   cert_file: client.crt
    #   key_file: client.key
    #   min_version: "1.1"
    #   max_version: "1.2"

Telemetry data types supported

For each certificate in the sources list we will extract all properties of the certificate and use the remaining validity duration in seconds as value.

Metric #0
Descriptor:
     -> Name: x509_cert
     -> Description: 
     -> Unit: 
     -> DataType: Gauge
NumberDataPoints #0
Data point attributes:
     -> startdate: Str(1706572800)
     -> serial_number: Str(75bcef30689c8addf13e51af4afe187)
     -> signature_algorithm: Str(SHA256-RSA)
     -> organization: Str(Internet Corporation for Assigned Names and Numbers)
     -> province: Str(California)
     -> locality: Str(Los Angeles)
     -> ocsp_verified: Str(yes)
     -> ocsp_produced_at: Str(1716394018)
     -> issuer_serial_number: Str()
     -> san: Str(www.example.org,example.net,example.edu,example.com,example.org,www.example.com,www.example.edu,www.example.net)
     -> verification: Str(valid)
     -> ocsp_stapled: Str(yes)
     -> ocsp_status: Str(good)
     -> ocsp_this_update: Str(1716393062)
     -> verification_code: Str(0)
     -> enddate: Str(1740873599)
     -> source: Str(tcp://example.org:443)
     -> common_name: Str(www.example.org)
     -> country: Str(US)
     -> type: Str(leaf)
     -> ocsp_status_code: Str(0)
     -> issuer_common_name: Str(DigiCert Global G2 TLS RSA SHA256 2020 CA1)
     -> ocsp_next_update: Str(1716994262)
     -> public_key_algorithm: Str(RSA)
StartTimestamp: 1970-01-01 00:00:00 +0000 UTC
Timestamp: 2024-05-24 09:48:58.247835279 +0000 UTC
Value: 24329460

Is this a vendor-specific component?

Code Owner(s)

LucaLanziani, zimny

Sponsor (optional)

@atoulme

Additional context

No response

atoulme commented 5 months ago

Will you be using a scraper approach for this? Did you build a metadata.yaml? Would you please share it?

Which attributes do you want always enabled? Are attributes based off the fields of the cert?

LucaLanziani commented 5 months ago

Yes the software will scrape, the implementation is pretty much the same of telegraf and you can find it here.

The plan as I said is to wrap their code and include their license, we have a first implementation ready but it's not based on this repo but built following https://opentelemetry.io/docs/collector/building/receiver/.

If there is interest we will change the code and add the metadata.yaml

github-actions[bot] commented 3 months ago

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

zimny commented 2 months ago

We're still looking for sponsors here!

atoulme commented 1 month ago

alright, happy to be the sponsor.