Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In watch mode the exporter does not remove deleted secrets #86

Open
fhitchen opened this issue Dec 2, 2022 · 0 comments
Open

In watch mode the exporter does not remove deleted secrets #86

fhitchen opened this issue Dec 2, 2022 · 0 comments

Comments

@fhitchen
Copy link

fhitchen commented Dec 2, 2022
edited
Loading

Very nice tool and dashboard. Thanks.

I don't know if this is expected behaviour, but 24 hours after running with --watch-kube-secrets, I could still see metrics for secrets that no longer existed.

Shouldn't the exporter remove them and no longer generate Prometheus metrics for them?

I wanted to add another label to indicate if the cert was a CA or not as my organization mixes them up which seems to work..

diff --git a/internal/exporter.go b/internal/exporter.go
index e67a29d..d3fb6a1 100644
--- a/internal/exporter.go
+++ b/internal/exporter.go
@@ -250,6 +250,10 @@ func (exporter *Exporter) getLabels(certData *parsedCertificate, ref *certificat
        fillLabelsFromName(&certData.cert.Issuer, "issuer", labels)
        fillLabelsFromName(&certData.cert.Subject, "subject", labels)
 
+       if certData.cert.BasicConstraintsValid && certData.cert.IsCA {
+               labels["is_CA"] = "true"
+       }
+
        if ref.format == certificateFormatYAML {
                kind := strings.Split(certData.yqMatchExpr, ".")[1]
                labels["embedded_kind"] = strings.TrimRight(kind, "s")

But on running a test against the test certs I saw that the bad link pem was getting parsed without error...

$ ./x509-certificate-exporter -d test/
INFO[0000] starting x509-certificate-exporter version 0.0.0 () () 
INFO[0000] 1 valid certificate(s) found in "test/badlink.pem" 
INFO[0000] 1 valid certificate(s) found in "test/basic.pem"

and generating metrics...

x509_cert_expired{filename="badlink.pem",filepath="test/badlink.pem",is_CA="true",issuer_CN="kubernetes",serial_number="0",subject_CN="kubernetes"} 0
x509_cert_not_after{filename="badlink.pem",filepath="test/badlink.pem",is_CA="true",issuer_CN="kubernetes",serial_number="0",subject_CN="kubernetes"} 1.861190854e+09
x509_cert_not_before{filename="badlink.pem",filepath="test/badlink.pem",is_CA="true",issuer_CN="kubernetes",serial_number="0",subject_CN="kubernetes"} 1.545830854e+09

even though it truly does not exist...

$ ls -l test/badlink.pem 
lrwxrwxrwx 1 me me 15 Nov 21 15:44 test/badlink.pem -> /toto/basic.pem
arcln added a commit that referenced this issue Dec 7, 2022
@arcln
fix: properly resolve symlink paths (#86)
dbcdcff
arcln added a commit that referenced this issue Dec 20, 2022
@arcln
fix: properly resolve symlink paths (#86)
beb88b3
fhitchen pushed a commit to fhitchen/x509-certificate-exporter that referenced this issue Feb 4, 2023
@arcln
fix: properly resolve symlink paths (enix#86)
abe0e64
arcln added a commit that referenced this issue Apr 27, 2023
@arcln
Revert "fix: properly resolve symlink paths (#86)"
e842ae1 
This reverts commit beb88b3.
arcln added a commit that referenced this issue May 17, 2023
@arcln
Revert "fix: properly resolve symlink paths (#86)"
ce8187e 
This reverts commit beb88b3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fhitchen