From b933b0240c5a9f3d43a58772490a5c5155dd1b18 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Thu, 24 Mar 2022 01:08:02 -0400
Subject: [PATCH] webhooks, aggregation: add metrics to count certs with SHA1
 signatures

Extends the certificate attribute deprecation RoundTrippers wrapper with
a checker that counts certificates with sha-1 signatures in server responses.

Non-root non-self-signed SHA-1 certificate signatures were deprecated in
Golang 1.18.

Kubernetes-commit: 499ee65a9b0cd45d41716b513fae0d537f7f9c88
---
 pkg/apiserver/handler_proxy.go |  5 ++++-
 pkg/apiserver/metrics.go       | 13 +++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/apiserver/handler_proxy.go b/pkg/apiserver/handler_proxy.go
index f6255ea56..3a880b6b2 100644
--- a/pkg/apiserver/handler_proxy.go
+++ b/pkg/apiserver/handler_proxy.go
@@ -241,7 +241,10 @@ func (r *proxyHandler) updateAPIService(apiService *apiregistrationv1api.APIServ
 			CAData:     apiService.Spec.CABundle,
 		},
 	}
-	clientConfig.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))
+	clientConfig.Wrap(x509metrics.NewDeprecatedCertificateRoundTripperWrapperConstructor(
+		x509MissingSANCounter,
+		x509InsecureSHA1Counter,
+	))
 
 	newInfo := proxyHandlingInfo{
 		name:             apiService.Name,
diff --git a/pkg/apiserver/metrics.go b/pkg/apiserver/metrics.go
index ba25750ec..03315e984 100644
--- a/pkg/apiserver/metrics.go
+++ b/pkg/apiserver/metrics.go
@@ -34,6 +34,19 @@ var x509MissingSANCounter = metrics.NewCounter(
 	},
 )
 
+var x509InsecureSHA1Counter = metrics.NewCounter(
+	&metrics.CounterOpts{
+		Subsystem: "kube_aggregator",
+		Namespace: "apiserver",
+		Name:      "x509_insecure_sha1_total",
+		Help: "Counts the number of requests to servers with insecure SHA1 signatures " +
+			"in their serving certificate OR the number of connection failures " +
+			"due to the insecure SHA1 signatures (either/or, based on the runtime environment)",
+		StabilityLevel: metrics.ALPHA,
+	},
+)
+
 func init() {
 	legacyregistry.MustRegister(x509MissingSANCounter)
+	legacyregistry.MustRegister(x509InsecureSHA1Counter)
 }