Skip to content

Commit 906bb34

Browse files
tmshorttmshort
committed
Add logging to certpoolwatcher
Logging now indicates what certificate (by file and X.509 name) is being watched Signed-off-by: Todd Short <[email protected]>
1 parent e77c53c commit 906bb34

File tree

1 file changed

+77
-0
lines changed

1 file changed

+77
-0
lines changed

internal/httputil/certpoolwatcher.go

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,10 @@ package httputil
22

33
import (
44
"crypto/x509"
5+
"encoding/pem"
56
"fmt"
67
"os"
8+
"path/filepath"
79
"slices"
810
"strings"
911
"sync"
@@ -66,6 +68,7 @@ func NewCertPoolWatcher(caDir string, log logr.Logger) (*CertPoolWatcher, error)
6668
if err := watcher.Add(p); err != nil {
6769
return nil, err
6870
}
71+
logPath(p, log)
6972
}
7073

7174
cpw := &CertPoolWatcher{
@@ -126,3 +129,77 @@ func (cpw *CertPoolWatcher) drainEvents() {
126129
}
127130
}
128131
}
132+
133+
func logPath(p string, log logr.Logger) {
134+
fi, err := os.Stat(p)
135+
if err != nil {
136+
log.Error(err, "error in os.Stat()", "path", p)
137+
return
138+
}
139+
if !fi.IsDir() {
140+
logFile(p, log)
141+
return
142+
}
143+
dirEntries, err := os.ReadDir(p)
144+
if err != nil {
145+
log.Error(err, "error in os.ReadDir()", "path", p)
146+
return
147+
}
148+
for _, e := range dirEntries {
149+
file := filepath.Join(p, e.Name())
150+
fi, err := os.Stat(file)
151+
if err != nil {
152+
log.Error(err, "error in os.Stat()", "file", file)
153+
continue
154+
}
155+
if fi.IsDir() {
156+
log.Info("ignoring subdirectory", "directory", file)
157+
continue
158+
}
159+
logFile(file, log)
160+
}
161+
}
162+
163+
func logFile(f string, log logr.Logger) {
164+
data, err := os.ReadFile(f)
165+
if err != nil {
166+
log.Error(err, "error in os.ReadFile()", "file", f)
167+
return
168+
}
169+
var block *pem.Block
170+
block, data = pem.Decode(data)
171+
if block == nil {
172+
log.Error(nil, "no block returned from pem.Decode()", "file", f)
173+
return
174+
}
175+
crt, err := x509.ParseCertificate(block.Bytes)
176+
if err != nil {
177+
log.Error(err, "error in x509.ParseCertificate()", "file", f)
178+
return
179+
}
180+
181+
count := 0
182+
for len(data) > 0 {
183+
block, data = pem.Decode(data)
184+
if block != nil {
185+
_, err := x509.ParseCertificate(block.Bytes)
186+
if err == nil {
187+
count = count + 1
188+
}
189+
}
190+
}
191+
192+
// Find an appopriate certificate identifier
193+
args := []any{"file", f}
194+
if s := crt.Subject.String(); s != "" {
195+
args = append(args, "subject", s)
196+
} else if crt.DNSNames != nil {
197+
args = append(args, "DNSNames", crt.DNSNames)
198+
} else if s := crt.SerialNumber.String(); s != "" {
199+
args = append(args, "serial", s)
200+
}
201+
if count > 1 {
202+
args = append(args, "additional-certs", count)
203+
}
204+
log.Info("watching certificate", args...)
205+
}

0 commit comments

Comments
 (0)