Skip to content

Comments

Add tls_cert_not_after to varz#7709

Merged
neilalexander merged 1 commit intomainfrom
varz-tls-cert-expiration
Jan 9, 2026
Merged

Add tls_cert_not_after to varz#7709
neilalexander merged 1 commit intomainfrom
varz-tls-cert-expiration

Conversation

@sciascid
Copy link
Contributor

@sciascid sciascid commented Jan 8, 2026

Expose the server's certificate expiration date in the varz monitor endpoint.

Fixes #7684

Signed-off-by: Daniele Sciascia daniele@nats.io

@sciascid sciascid requested a review from a team as a code owner January 8, 2026 15:26
neilalexander
neilalexander reviewed Jan 8, 2026
View reviewed changes
Copy link
Member

@neilalexander neilalexander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach looks fine, but WebSockets, leafnodes, routes, gateways can also have their own TLS configurations, can we extend to those too?

From opts.Cluster.TLSConfig, opts.Gateway.TLSConfig, opts.LeafNode.TLSConfig, opts.MQTT.TLSConfig, opts.WebSocket.TLSConfig off the top of my head. Each has their own section in varz I think.

wallyqs
wallyqs reviewed Jan 8, 2026
View reviewed changes
@sciascid sciascid force-pushed the varz-tls-cert-expiration branch from 2163b96 to 119913b Compare January 9, 2026 07:58
@sciascid
Copy link
Contributor Author

sciascid commented Jan 9, 2026

Approach looks fine, but WebSockets, leafnodes, routes, gateways can also have their own TLS configurations, can we extend to those too?

Done. I had to change the approach slightly: storing time.Time values would no longer work with omitempty and structures within structure. So I switched to strings.

ripienaar
ripienaar reviewed Jan 9, 2026
View reviewed changes
@sciascid sciascid force-pushed the varz-tls-cert-expiration branch from 119913b to aef59ae Compare January 9, 2026 13:44
@sciascid sciascid changed the title Add tls_cert_end_date to varz Add tls_cert_not_after to varz Jan 9, 2026
neilalexander
neilalexander reviewed Jan 9, 2026
View reviewed changes
@sciascid
Add tls_cert_not_after to varz
fea2582 
Expose the expiration dates of all TLS certificates in the varz
monitor endpoint.

Fixes #7684

Signed-off-by: Daniele Sciascia <daniele@nats.io>
@sciascid sciascid force-pushed the varz-tls-cert-expiration branch from aef59ae to fea2582 Compare January 9, 2026 14:40
neilalexander
neilalexander approved these changes Jan 9, 2026
View reviewed changes
Copy link
Member

@neilalexander neilalexander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@neilalexander neilalexander merged commit 2283028 into main Jan 9, 2026
69 of 71 checks passed
@neilalexander neilalexander deleted the varz-tls-cert-expiration branch January 9, 2026 15:21
@derekcollison
Copy link
Member

derekcollison commented Jan 10, 2026

Yes I know it was merged. But not reeleased yet. @neilalexander what are your thoughts here?

@neilalexander
Copy link
Member

neilalexander commented Jan 10, 2026

I don't have a strong opinion either way, but "Not before" and "Not after" match OpenSSL, Go's crypto/x509, Java's X509Certificate etc, so it seems OK to me.

@ripienaar
Copy link
Contributor

ripienaar commented Jan 10, 2026

Those terms are also in OpenSSL command line tools etc that’s why I suggested we use same

@derekcollison
Copy link
Member

derekcollison commented Jan 10, 2026

Thanks, did not realize there was a precedence already on naming this. I prefer simple as you know.

@ripienaar
Copy link
Contributor

ripienaar commented Jan 10, 2026

Though been thinking about this and I think as it stands someone has to make a bunch of HTTP requests to monitor the server - if it was all in varz in a struct a single call can be used to monitor all certs deployed, so maybe a map or array of entries all in one place would be better

@sciascid
Copy link
Contributor Author

sciascid commented Jan 11, 2026 via email
edited
Loading

@ripienaar
Copy link
Contributor

ripienaar commented Jan 11, 2026

You’re right sorry for the noise. PR review on the phone :(

@ripienaar ripienaar mentioned this pull request Jan 12, 2026
Open
This was referenced Jan 15, 2026
Merged
Merged
neilalexander added a commit that referenced this pull request Jan 15, 2026
@neilalexander
Cherry-picks for v2.11.12-RC.3 (#7732)
edd409c 
Includes the following:

- #7704
- #7708
- #7710
- #7709
- #7712
- #7716
- #7720
- #7721
- #7723
- #7728

Signed-off-by: Neil Twigg <neil@nats.io>
neilalexander added a commit that referenced this pull request Jan 15, 2026
@neilalexander
Cherry-picks for v2.12.4-RC.2 (#7731)
9277357 
Includes the following:

- #7704
- #7708
- #7710
- #7711
- #7709
- #7712
- #7716
- #7720
- #7721
- #7723
- #7728

Signed-off-by: Neil Twigg <neil@nats.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wallyqs wallyqs wallyqs left review comments

@ripienaar ripienaar ripienaar left review comments

@derekcollison derekcollison derekcollison left review comments

@neilalexander neilalexander neilalexander approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sciascid @derekcollison @neilalexander @ripienaar @wallyqs