tlscheckreceiver

package module

v0.154.0 Latest Latest Go to latest Published: Jun 9, 2026 License: Apache-2.0 Imports: 30 Imported by: 1

README ¶

TLS Check Receiver

This receiver emits metrics about x.509 certificates.

Status
Stability	alpha: metrics
Distributions	contrib
Issues
Code coverage
Code Owners	@atoulme, @michael-burt

Getting Started

By default, the TLS Check Receiver will emit a single metric, tlscheck.time_left, per target. This is measured in seconds until the date and time specified in the NotAfter field of the x.509 certificate. After certificate expiration, the metric value will be a negative integer measuring the time in seconds since expiry.

Example Configuration

Note: This receiver was renamed from tlscheck to tls_check to match the snake_case naming convention. The deprecated component type tlscheck is still accepted as an alias and will log a deprecation warning.

Targets are configured as a remote endpoint accessed via TCP, a PEM-encoded certificate file stored locally on disk, or a Java-format keystore file (JKS or PKCS#12).

receivers:
  tls_check:
    targets:
      # Monitor a local PEM file (default when no file_format is set)
      - file_path: /etc/istio/certs/cert-chain.pem

      # Monitor a JKS keystore — format inferred from .jks extension
      - file_path: /opt/app/keystore.jks
        password: changeit

      # Monitor a PKCS#12 keystore — format inferred from .p12 extension
      - file_path: /opt/app/keystore.p12
        password: ${env:KEYSTORE_PASSWORD}

      # Explicit format override (e.g. a .ks file that is actually JKS)
      - file_path: /opt/app/keystore.ks
        file_format: jks
        password: changeit

      # Monitor a remote endpoint
      - endpoint: example.com:443

      # Monitor a local service with a custom timeout
      - endpoint: localhost:10901
        dialer:
          timeout: 15s

Configuration Fields

Field	Type	Default	Description
`file_path`	string		Path to a certificate file on disk. Mutually exclusive with `endpoint`.
`file_format`	string	`auto`	Format of the certificate file. One of: `auto`, `pem`, `jks`, `pkcs12`. When `auto`, the format is inferred from the file extension (`.jks` → JKS; `.p12` / `.pfx` → PKCS#12; all others → PEM).
`password`	string		Password for JKS or PKCS#12 keystores. The value is masked in logs and diagnostic output. Optional for unprotected JKS files.

JKS Keystores

JKS files may contain multiple aliases. One tlscheck.time_left metric is emitted per leaf certificate found:

TrustedCertificateEntry — the single certificate stored in the entry is used.
PrivateKeyEntry — the first certificate in the chain (the leaf) is used.

Certificate Verification

This component does not provide hostname, validity period, path, or CRL / OCSP verification on the certificate.

Certificate File Validation

If a certificate file specified in the configuration does not exist or is unable to be opened, an error will be logged on each scrape cycle and the otelcol_scraper_errored_metric_points metric will be incremented. If you would like to monitor for the existence of specific certificate files on disk, consider using the File Stats receiver.

Metrics

Details about the metrics produced by this receiver can be found in metadata.yaml.

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewFactory ¶

func NewFactory() receiver.Factory

Types ¶

type CertificateTarget ¶ added in v0.123.0

type CertificateTarget struct {
	confignet.TCPAddrConfig `mapstructure:",squash"`
	FilePath                string              `mapstructure:"file_path"`
	FileFormat              FileFormat          `mapstructure:"file_format"`
	Password                configopaque.String `mapstructure:"password"`
	// contains filtered or unexported fields
}

CertificateTarget represents a target for certificate checking, which can be either a network endpoint or a local file

type Config ¶

type Config struct {
	scraperhelper.ControllerConfig `mapstructure:",squash"`
	metadata.MetricsBuilderConfig  `mapstructure:",squash"`
	Targets                        []*CertificateTarget `mapstructure:"targets"`
	// contains filtered or unexported fields
}

Config defines the configuration for the various elements of the receiver agent.

func (*Config) Validate ¶

func (cfg *Config) Validate() error

type FileFormat ¶ added in v0.147.0

type FileFormat string

FileFormat represents the format of a local certificate file.

const (
	// FileFormatAuto infers the format from the file extension.
	FileFormatAuto FileFormat = "auto"
	// FileFormatPEM indicates a PEM-encoded certificate file.
	FileFormatPEM FileFormat = "pem"
	// FileFormatJKS indicates a Java KeyStore file.
	FileFormatJKS FileFormat = "jks"
	// FileFormatPKCS12 indicates a PKCS#12 / PFX keystore file.
	FileFormatPKCS12 FileFormat = "pkcs12"
)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
internal
metadata Package metadata contains the autogenerated telemetry and build information for the receiver/tls_check component.	Package metadata contains the autogenerated telemetry and build information for the receiver/tls_check component.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL