Skip to content

Comments

Add tls_cert_not_after to varz#7709

Merged
neilalexander merged 1 commit intomainfrom
varz-tls-cert-expiration
Jan 9, 2026
Merged

Add tls_cert_not_after to varz#7709
neilalexander merged 1 commit intomainfrom
varz-tls-cert-expiration

Conversation

@sciascid
Copy link
Contributor

@sciascid sciascid commented Jan 8, 2026

Expose the server's certificate expiration date in the varz monitor endpoint.

Fixes #7684

Signed-off-by: Daniele Sciascia daniele@nats.io

@sciascid sciascid requested a review from a team as a code owner January 8, 2026 15:26
Copy link
Member

@neilalexander neilalexander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach looks fine, but WebSockets, leafnodes, routes, gateways can also have their own TLS configurations, can we extend to those too?

From opts.Cluster.TLSConfig, opts.Gateway.TLSConfig, opts.LeafNode.TLSConfig, opts.MQTT.TLSConfig, opts.WebSocket.TLSConfig off the top of my head. Each has their own section in varz I think.

@sciascid sciascid force-pushed the varz-tls-cert-expiration branch from 2163b96 to 119913b Compare January 9, 2026 07:58
@sciascid
Copy link
Contributor Author

sciascid commented Jan 9, 2026

Approach looks fine, but WebSockets, leafnodes, routes, gateways can also have their own TLS configurations, can we extend to those too?

Done. I had to change the approach slightly: storing time.Time values would no longer work with omitempty and structures within structure. So I switched to strings.

@sciascid sciascid force-pushed the varz-tls-cert-expiration branch from 119913b to aef59ae Compare January 9, 2026 13:44
@sciascid sciascid changed the title Add tls_cert_end_date to varz Add tls_cert_not_after to varz Jan 9, 2026
Expose the expiration dates of all TLS certificates in the varz
monitor endpoint.

Fixes #7684

Signed-off-by: Daniele Sciascia <daniele@nats.io>
@sciascid sciascid force-pushed the varz-tls-cert-expiration branch from aef59ae to fea2582 Compare January 9, 2026 14:40
Copy link
Member

@neilalexander neilalexander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@neilalexander neilalexander merged commit 2283028 into main Jan 9, 2026
69 of 71 checks passed
@neilalexander neilalexander deleted the varz-tls-cert-expiration branch January 9, 2026 15:21
@derekcollison
Copy link
Member

Yes I know it was merged. But not reeleased yet. @neilalexander what are your thoughts here?

@neilalexander
Copy link
Member

I don't have a strong opinion either way, but "Not before" and "Not after" match OpenSSL, Go's crypto/x509, Java's X509Certificate etc, so it seems OK to me.

@ripienaar
Copy link
Contributor

Those terms are also in OpenSSL command line tools etc that’s why I suggested we use same

@derekcollison
Copy link
Member

Thanks, did not realize there was a precedence already on naming this. I prefer simple as you know.

@ripienaar
Copy link
Contributor

Though been thinking about this and I think as it stands someone has to make a bunch of HTTP requests to monitor the server - if it was all in varz in a struct a single call can be used to monitor all certs deployed, so maybe a map or array of entries all in one place would be better

@sciascid
Copy link
Contributor Author

sciascid commented Jan 11, 2026 via email

@ripienaar
Copy link
Contributor

You’re right sorry for the noise. PR review on the phone :(

neilalexander added a commit that referenced this pull request Jan 15, 2026
Includes the following:

- #7704
- #7708
- #7710
- #7709
- #7712
- #7716
- #7720
- #7721
- #7723
- #7728

Signed-off-by: Neil Twigg <neil@nats.io>
neilalexander added a commit that referenced this pull request Jan 15, 2026
Includes the following:

- #7704
- #7708
- #7710
- #7711
- #7709
- #7712
- #7716
- #7720
- #7721
- #7723
- #7728

Signed-off-by: Neil Twigg <neil@nats.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants