webhooks, aggregation: add metrics to count certs with SHA1 signatures

Extends the certificate attribute deprecation RoundTrippers wrapper with a checker that counts certificates with sha-1 signatures in server responses. Non-root non-self-signed SHA-1 certificate signatures were deprecated in Golang 1.18. Kubernetes-commit: 499ee65a9b0cd45d41716b513fae0d537f7f9c88
kubernetes · Mar 24, 2022 · b933b02 · b933b02
1 parent b4638dd
commit b933b02
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/pkg/apiserver/handler_proxy.go b/pkg/apiserver/handler_proxy.go
@@ -241,7 +241,10 @@ func (r *proxyHandler) updateAPIService(apiService *apiregistrationv1api.APIServ
 			CAData:     apiService.Spec.CABundle,
 		},
 	}
-	clientConfig.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))
+	clientConfig.Wrap(x509metrics.NewDeprecatedCertificateRoundTripperWrapperConstructor(
+		x509MissingSANCounter,
+		x509InsecureSHA1Counter,
+	))
 
 	newInfo := proxyHandlingInfo{
 		name:             apiService.Name,

diff --git a/pkg/apiserver/metrics.go b/pkg/apiserver/metrics.go
@@ -34,6 +34,19 @@ var x509MissingSANCounter = metrics.NewCounter(
 	},
 )
 
+var x509InsecureSHA1Counter = metrics.NewCounter(
+	&metrics.CounterOpts{
+		Subsystem: "kube_aggregator",
+		Namespace: "apiserver",
+		Name:      "x509_insecure_sha1_total",
+		Help: "Counts the number of requests to servers with insecure SHA1 signatures " +
+			"in their serving certificate OR the number of connection failures " +
+			"due to the insecure SHA1 signatures (either/or, based on the runtime environment)",
+		StabilityLevel: metrics.ALPHA,
+	},
+)
+
 func init() {
 	legacyregistry.MustRegister(x509MissingSANCounter)
+	legacyregistry.MustRegister(x509InsecureSHA1Counter)
 }