New component: X.509 Certificate Monitoring

[LucaLanziani]

The purpose and use-cases of the new component

This will be a receiver based on the telegraf x509cert plugin code following their license requirement and build and interface on top of it to match the collector interface.

Example configuration for the component

receivers:
  x509cert:
    sources:
      - "tcp:https://example.org:443"
      - "/etc/kubernetes/pki/etcd/peer.crt"
    timeout: "5s"
    exclude_root_certs: false
    use_proxy: true
    proxy_url: "http:https://localhost:8888"
    server_name: "myname.example.com"
    # tls:
    #   insecure: false
    #   ca_file: server.crt
    #   cert_file: client.crt
    #   key_file: client.key
    #   min_version: "1.1"
    #   max_version: "1.2"

Telemetry data types supported

For each certificate in the sources list we will extract all properties of the certificate and use the remaining validity duration in seconds as value.

Metric #0
Descriptor:
     -> Name: x509_cert
     -> Description: 
     -> Unit: 
     -> DataType: Gauge
NumberDataPoints #0
Data point attributes:
     -> startdate: Str(1706572800)
     -> serial_number: Str(75bcef30689c8addf13e51af4afe187)
     -> signature_algorithm: Str(SHA256-RSA)
     -> organization: Str(Internet Corporation for Assigned Names and Numbers)
     -> province: Str(California)
     -> locality: Str(Los Angeles)
     -> ocsp_verified: Str(yes)
     -> ocsp_produced_at: Str(1716394018)
     -> issuer_serial_number: Str()
     -> san: Str(www.example.org,example.net,example.edu,example.com,example.org,www.example.com,www.example.edu,www.example.net)
     -> verification: Str(valid)
     -> ocsp_stapled: Str(yes)
     -> ocsp_status: Str(good)
     -> ocsp_this_update: Str(1716393062)
     -> verification_code: Str(0)
     -> enddate: Str(1740873599)
     -> source: Str(tcp:https://example.org:443)
     -> common_name: Str(www.example.org)
     -> country: Str(US)
     -> type: Str(leaf)
     -> ocsp_status_code: Str(0)
     -> issuer_common_name: Str(DigiCert Global G2 TLS RSA SHA256 2020 CA1)
     -> ocsp_next_update: Str(1716994262)
     -> public_key_algorithm: Str(RSA)
StartTimestamp: 1970-01-01 00:00:00 +0000 UTC
Timestamp: 2024-05-24 09:48:58.247835279 +0000 UTC
Value: 24329460

Is this a vendor-specific component?

• This is a vendor-specific component
• If this is a vendor-specific component, I am proposing to contribute and support it as a representative of the vendor.

Code Owner(s)

LucaLanziani, zimny

Sponsor (optional)

No response

Additional context

No response

[atoulme]

Will you be using a scraper approach for this? Did you build a metadata.yaml? Would you please share it?

Which attributes do you want always enabled? Are attributes based off the fields of the cert?

[LucaLanziani]

Yes the software will scrape, the implementation is pretty much the same of telegraf and you can find it here.

The plan as I said is to wrap their code and include their license, we have a first implementation ready but it's not based on this repo but built following https://opentelemetry.io/docs/collector/building/receiver/.

If there is interest we will change the code and add the metadata.yaml