ssl_exporter/prober/kubernetes.go

package prober

import (
	"context"
	"fmt"
	"regexp"
	"strings"

	"github.com/bmatcuk/doublestar/v2"
	"github.com/go-kit/log"
	"github.com/prometheus/client_golang/prometheus"
	"github.com/ribbybibby/ssl_exporter/v2/config"
	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/tools/clientcmd"

	// Support oidc in kube config files
	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
)

var (
	// ErrKubeBadTarget is returned when the target doesn't match the
	// expected form for the kubernetes prober
	ErrKubeBadTarget = fmt.Errorf("Target secret must be provided in the form: <namespace>/<name>")

	globPattern = regexp.MustCompile(`^.*(\*|\?|\{|\}|\[|\])+.*$`)
)

// ProbeKubernetes collects certificate metrics from kubernetes.io/tls Secrets
func ProbeKubernetes(ctx context.Context, logger log.Logger, target string, module config.Module, registry *prometheus.Registry) error {
	client, err := newKubeClient(module.Kubernetes.Kubeconfig)
	if err != nil {
		return err
	}

	return probeKubernetes(ctx, target, module, registry, client)
}

func probeKubernetes(ctx context.Context, target string, module config.Module, registry *prometheus.Registry, client kubernetes.Interface) error {
	parts := strings.Split(target, "/")
	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
		return ErrKubeBadTarget
	}

	ns := parts[0]
	name := parts[1]

	// If the namespace contains a glob pattern then we need to filter on
	// all the secrets in the cluster
	selector := ns
	if globPattern.MatchString(ns) {
		selector = ""
	}

	var tlsSecrets []v1.Secret
	secrets, err := client.CoreV1().Secrets(selector).List(ctx, metav1.ListOptions{FieldSelector: "type=kubernetes.io/tls"})
	if err != nil {
		return err
	}
	for _, secret := range secrets.Items {
		nMatch, err := doublestar.Match(ns, secret.Namespace)
		if err != nil {
			return err
		}
		sMatch, err := doublestar.Match(name, secret.Name)
		if err != nil {
			return err
		}
		if nMatch && sMatch {
			tlsSecrets = append(tlsSecrets, secret)
		}
	}

	return collectKubernetesSecretMetrics(tlsSecrets, registry)
}

// newKubeClient returns a Kubernetes client (clientset) from the supplied
// kubeconfig path, the KUBECONFIG environment variable, the default config file
// location ($HOME/.kube/config) or from the in-cluster service account environment.
func newKubeClient(path string) (*kubernetes.Clientset, error) {
	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
	if path != "" {
		loadingRules.ExplicitPath = path
	}
	kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
		loadingRules,
		&clientcmd.ConfigOverrides{},
	)
	config, err := kubeConfig.ClientConfig()
	if err != nil {
		return nil, err
	}

	return kubernetes.NewForConfig(config)
}
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`package prober`

			`import (`
			`"context"`
			`"fmt"`
kubernetes: use namespace selector where possible We can use a namespace selector to only list secrets in the target namespace, unless its a glob pattern. 2024-04-30 06:39:07 +01:00			`"regexp"`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`"strings"`

			`"github.com/bmatcuk/doublestar/v2"`
Move to github.com/prometheus/common/promlog for logging (#71) * Move to yaml.v3 everywhere * Switch to github.com/prometheus/common/promlog for logging 2021-06-23 12:22:22 -04:00			`"github.com/go-kit/log"`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`"github.com/prometheus/client_golang/prometheus"`
Amend module path for v2 2022-05-07 09:31:08 +01:00			`"github.com/ribbybibby/ssl_exporter/v2/config"`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`v1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/client-go/kubernetes"`
			`"k8s.io/client-go/tools/clientcmd"`

			`// Support oidc in kube config files`
			`_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"`
			`)`

			`var (`
Fix golint errors 2020-11-16 00:48:15 +00:00			`// ErrKubeBadTarget is returned when the target doesn't match the`
			`// expected form for the kubernetes prober`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`ErrKubeBadTarget = fmt.Errorf("Target secret must be provided in the form: <namespace>/<name>")`
kubernetes: use namespace selector where possible We can use a namespace selector to only list secrets in the target namespace, unless its a glob pattern. 2024-04-30 06:39:07 +01:00
			globPattern = regexp.MustCompile(`^.(\\|\?\|\{\|\}\|\[\|\])+.*$`)
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`)`

Fix golint errors 2020-11-16 00:48:15 +00:00			`// ProbeKubernetes collects certificate metrics from kubernetes.io/tls Secrets`
Move to github.com/prometheus/common/promlog for logging (#71) * Move to yaml.v3 everywhere * Switch to github.com/prometheus/common/promlog for logging 2021-06-23 12:22:22 -04:00			`func ProbeKubernetes(ctx context.Context, logger log.Logger, target string, module config.Module, registry *prometheus.Registry) error {`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`client, err := newKubeClient(module.Kubernetes.Kubeconfig)`
			`if err != nil {`
			`return err`
			`}`

			`return probeKubernetes(ctx, target, module, registry, client)`
			`}`

			`func probeKubernetes(ctx context.Context, target string, module config.Module, registry *prometheus.Registry, client kubernetes.Interface) error {`
			`parts := strings.Split(target, "/")`
			`if len(parts) != 2 \|\| parts[0] == "" \|\| parts[1] == "" {`
			`return ErrKubeBadTarget`
			`}`

			`ns := parts[0]`
			`name := parts[1]`

kubernetes: use namespace selector where possible We can use a namespace selector to only list secrets in the target namespace, unless its a glob pattern. 2024-04-30 06:39:07 +01:00			`// If the namespace contains a glob pattern then we need to filter on`
			`// all the secrets in the cluster`
			`selector := ns`
			`if globPattern.MatchString(ns) {`
			`selector = ""`
			`}`

Add kubernetes prober 2020-11-15 22:05:51 +00:00			`var tlsSecrets []v1.Secret`
kubernetes: use namespace selector where possible We can use a namespace selector to only list secrets in the target namespace, unless its a glob pattern. 2024-04-30 06:39:07 +01:00			`secrets, err := client.CoreV1().Secrets(selector).List(ctx, metav1.ListOptions{FieldSelector: "type=kubernetes.io/tls"})`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`if err != nil {`
			`return err`
			`}`
			`for _, secret := range secrets.Items {`
Use FieldSelector to select only tls secrets (#82) This speeds up the listing of certs significatnyly in clusters with many secrets. 2021-12-23 14:18:24 +01:00			`nMatch, err := doublestar.Match(ns, secret.Namespace)`
			`if err != nil {`
			`return err`
			`}`
			`sMatch, err := doublestar.Match(name, secret.Name)`
			`if err != nil {`
			`return err`
			`}`
			`if nMatch && sMatch {`
			`tlsSecrets = append(tlsSecrets, secret)`
Add kubernetes prober 2020-11-15 22:05:51 +00:00			`}`
			`}`

			`return collectKubernetesSecretMetrics(tlsSecrets, registry)`
			`}`

			`// newKubeClient returns a Kubernetes client (clientset) from the supplied`
			`// kubeconfig path, the KUBECONFIG environment variable, the default config file`
			`// location ($HOME/.kube/config) or from the in-cluster service account environment.`
			`func newKubeClient(path string) (*kubernetes.Clientset, error) {`
			`loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()`
			`if path != "" {`
			`loadingRules.ExplicitPath = path`
			`}`
			`kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(`
			`loadingRules,`
			`&clientcmd.ConfigOverrides{},`
			`)`
			`config, err := kubeConfig.ClientConfig()`
			`if err != nil {`
			`return nil, err`
			`}`

			`return kubernetes.NewForConfig(config)`
			`}`