discovery

package
v0.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 20, 2026 License: MIT Imports: 40 Imported by: 0

Documentation

Overview

Package discovery provides pluggable discoverers that find TLS trust surfaces in a Kubernetes cluster.

Index

Constants

View Source 
const FindingChallengeFailed = "CHALLENGE_FAILED"

FindingChallengeFailed indicates an ACME Challenge in an errored or invalid state.

View Source 
const FindingManagedExpiry = "MANAGED_EXPIRY"

FindingManagedExpiry indicates a cert expiring but managed by cert-manager with healthy renewal.

View Source 
const FindingRenewalStalled = "RENEWAL_STALLED"

FindingRenewalStalled indicates a CertificateRequest pending beyond the stale threshold.

View Source 
const FindingRequestPending = "REQUEST_PENDING"

FindingRequestPending indicates a Certificate whose Ready condition is False.

Variables

This section is empty.

Functions

func FilterAccessible added in v0.1.3 

func FilterAccessible(ctx context.Context, client kubernetes.Interface, namespaces []string, group, resource string) []string

FilterAccessible returns the subset of namespaces where the current identity can list the given resource type. Uses SelfSubjectAccessReview. If the access check itself fails (e.g. RBAC for SSAR is missing), the namespace is included to avoid silently dropping accessible namespaces.

func RegisterCloudDiscoverer added in v0.2.0 

func RegisterCloudDiscoverer(f cloudDiscovererFactory)

RegisterCloudDiscoverer registers a factory for a cloud provider discoverer. Called from init() in build-tagged files.

func ResolveNamespaces added in v0.1.3 

func ResolveNamespaces(ctx context.Context, client kubernetes.Interface, explicit []string) ([]string, error)

ResolveNamespaces returns the explicit list if non-empty, otherwise lists all namespaces in the cluster.

func WithAPIServiceProbeFn added in v0.1.1 

func WithAPIServiceProbeFn(fn func(string) probe.Result) func(*APIServiceDiscoverer)

WithAPIServiceProbeFn sets a custom probe function for APIService discovery.

func WithAnnotationNamespaces added in v0.1.3 

func WithAnnotationNamespaces(ns []string) func(*AnnotationDiscoverer)

WithAnnotationNamespaces restricts discovery to the given namespaces.

func WithAnnotationProbeFn added in v0.1.1 

func WithAnnotationProbeFn(fn func(string) probe.Result) func(*AnnotationDiscoverer)

WithAnnotationProbeFn sets a custom probe function for annotation discovery.

func WithCertManagerNamespaces added in v0.1.4 

func WithCertManagerNamespaces(ns []string) func(*CertManagerDiscoverer)

WithCertManagerNamespaces restricts discovery to the given namespaces.

func WithExternalProbeFn added in v0.1.1 

func WithExternalProbeFn(fn func(string) probe.Result) func(*ExternalDiscoverer)

WithExternalProbeFn sets a custom probe function for external target discovery.

func WithGatewayNamespaces added in v0.1.3 

func WithGatewayNamespaces(ns []string) func(*GatewayDiscoverer)

WithGatewayNamespaces restricts discovery to the given namespaces.

func WithIngressNamespaces added in v0.1.3 

func WithIngressNamespaces(ns []string) func(*IngressDiscoverer)

WithIngressNamespaces restricts discovery to the given namespaces.

func WithProbeFn added in v0.1.1 

func WithProbeFn(fn func(string) probe.Result) func(*APIServerDiscoverer)

WithProbeFn sets a custom probe function (e.g. REST-transport-aware).

func WithRenewalNamespaces added in v0.2.0 

func WithRenewalNamespaces(ns []string) func(*CertManagerRenewalDiscoverer)

WithRenewalNamespaces restricts discovery to the given namespaces.

func WithSecretNamespaces added in v0.1.3 

func WithSecretNamespaces(ns []string) func(*SecretDiscoverer)

WithSecretNamespaces restricts discovery to the given namespaces.

func WithStaleDuration added in v0.2.0 

func WithStaleDuration(dur time.Duration) func(*CertManagerRenewalDiscoverer)

WithStaleDuration overrides the default stale threshold for pending CertificateRequests.

func WithWebhookProbeFn added in v0.1.1 

func WithWebhookProbeFn(fn func(string) probe.Result) func(*WebhookDiscoverer)

WithWebhookProbeFn sets a custom probe function for webhook discovery.

Types

type APIServerDiscoverer 

type APIServerDiscoverer struct {
	// contains filtered or unexported fields
}

APIServerDiscoverer probes the Kubernetes API server TLS endpoint.

func NewAPIServerDiscoverer 

func NewAPIServerDiscoverer(target string, opts ...func(*APIServerDiscoverer)) *APIServerDiscoverer

NewAPIServerDiscoverer creates a discoverer for the Kubernetes API server. If target is empty, defaults to kubernetes.default.svc:443.

func (*APIServerDiscoverer) Discover 

func (d *APIServerDiscoverer) Discover() ([]store.CertFinding, error)

Discover probes the API server and returns a single finding.

func (*APIServerDiscoverer) Name 

func (d *APIServerDiscoverer) Name() string

Name returns the discoverer label.

type APIServiceDiscoverer 

type APIServiceDiscoverer struct {
	// contains filtered or unexported fields
}

APIServiceDiscoverer finds TLS certificates on Kubernetes API aggregation layer endpoints.

func NewAPIServiceDiscoverer 

func NewAPIServiceDiscoverer(client aggregatorclient.Interface, opts ...func(*APIServiceDiscoverer)) *APIServiceDiscoverer

NewAPIServiceDiscoverer creates a discoverer that checks APIService objects for expiring TLS certificates on their backing services.

func (*APIServiceDiscoverer) Discover 

func (d *APIServiceDiscoverer) Discover() ([]store.CertFinding, error)

Discover lists all APIService objects and probes those backed by an external service.

func (*APIServiceDiscoverer) Name 

func (d *APIServiceDiscoverer) Name() string

Name returns the discoverer label.

type AnnotationDiscoverer 

type AnnotationDiscoverer struct {
	// contains filtered or unexported fields
}

AnnotationDiscoverer finds TLS targets from trustwatch.dev/* annotations on Services and Deployments.

func NewAnnotationDiscoverer 

func NewAnnotationDiscoverer(client kubernetes.Interface, opts ...func(*AnnotationDiscoverer)) *AnnotationDiscoverer

NewAnnotationDiscoverer creates a discoverer that scans annotations for TLS targets.

func (*AnnotationDiscoverer) Discover 

func (d *AnnotationDiscoverer) Discover() ([]store.CertFinding, error)

Discover scans Services and Deployments for trustwatch.dev annotations.

func (*AnnotationDiscoverer) Name 

func (d *AnnotationDiscoverer) Name() string

Name returns the discoverer label.

type CertManagerDiscoverer added in v0.1.4 

type CertManagerDiscoverer struct {
	// contains filtered or unexported fields
}

CertManagerDiscoverer finds certificate expiry from cert-manager Certificate CRs. Uses the dynamic client to avoid importing the cert-manager module.

func NewCertManagerDiscoverer added in v0.1.4 

func NewCertManagerDiscoverer(dynClient dynamic.Interface, coreClient kubernetes.Interface, opts ...func(*CertManagerDiscoverer)) *CertManagerDiscoverer

NewCertManagerDiscoverer creates a discoverer for cert-manager Certificate resources.

func (*CertManagerDiscoverer) Discover added in v0.1.4 

func (d *CertManagerDiscoverer) Discover() ([]store.CertFinding, error)

Discover lists cert-manager Certificate CRs and extracts expiry information. Returns nil, nil if cert-manager CRDs are not installed.

func (*CertManagerDiscoverer) Name added in v0.1.4 

func (d *CertManagerDiscoverer) Name() string

Name returns the discoverer label.

type CertManagerRenewalDiscoverer added in v0.2.0 

type CertManagerRenewalDiscoverer struct {
	// contains filtered or unexported fields
}

CertManagerRenewalDiscoverer detects stuck cert-manager renewals.

func NewCertManagerRenewalDiscoverer added in v0.2.0 

func NewCertManagerRenewalDiscoverer(dyn dynamic.Interface, core kubernetes.Interface, opts ...func(*CertManagerRenewalDiscoverer)) *CertManagerRenewalDiscoverer

NewCertManagerRenewalDiscoverer creates a discoverer for cert-manager renewal health.

func (*CertManagerRenewalDiscoverer) Discover added in v0.2.0 

func (d *CertManagerRenewalDiscoverer) Discover() ([]store.CertFinding, error)

Discover checks for stuck renewals, failed challenges, and non-ready certificates. Returns nil, nil if cert-manager CRDs are not installed.

func (*CertManagerRenewalDiscoverer) Name added in v0.2.0 

func (d *CertManagerRenewalDiscoverer) Name() string

Name returns the discoverer label.

type Discoverer 

type Discoverer interface {
	// Name returns a human-readable label for this discoverer.
	Name() string

	// Discover returns findings from this source.
	// Errors are reported as findings with ProbeOK=false rather than
	// aborting the entire discovery run.
	Discover() ([]store.CertFinding, error)
}

Discoverer finds TLS targets from a specific source.

func CloudDiscoverers added in v0.2.0 

func CloudDiscoverers() []Discoverer

CloudDiscoverers returns all registered cloud provider discoverers.

type ExternalDiscoverer 

type ExternalDiscoverer struct {
	// contains filtered or unexported fields
}

ExternalDiscoverer probes explicit external TLS endpoints from config.

func NewExternalDiscoverer 

func NewExternalDiscoverer(targets []config.ExternalTarget, opts ...func(*ExternalDiscoverer)) *ExternalDiscoverer

NewExternalDiscoverer creates a discoverer for external TLS targets.

func (*ExternalDiscoverer) Discover 

func (d *ExternalDiscoverer) Discover() ([]store.CertFinding, error)

Discover probes each configured external target.

func (*ExternalDiscoverer) Name 

func (d *ExternalDiscoverer) Name() string

Name returns the discoverer label.

type GatewayDiscoverer added in v0.1.3 

type GatewayDiscoverer struct {
	// contains filtered or unexported fields
}

GatewayDiscoverer finds TLS certificates referenced by Gateway API Gateway objects.

func NewGatewayDiscoverer added in v0.1.3 

func NewGatewayDiscoverer(gwClient gatewayclient.Interface, coreClient kubernetes.Interface, opts ...func(*GatewayDiscoverer)) *GatewayDiscoverer

NewGatewayDiscoverer creates a discoverer that extracts TLS secrets from Gateway listener specs.

func (*GatewayDiscoverer) Discover added in v0.1.3 

func (d *GatewayDiscoverer) Discover() ([]store.CertFinding, error)

Discover lists all Gateways, extracts TLS certificate references from listeners, and parses the certificates found in the referenced Secrets. Returns nil, nil if the Gateway API CRDs are not installed.

func (*GatewayDiscoverer) Name added in v0.1.3 

func (d *GatewayDiscoverer) Name() string

Name returns the discoverer label.

type IngressDiscoverer 

type IngressDiscoverer struct {
	// contains filtered or unexported fields
}

IngressDiscoverer finds TLS certificates referenced by Ingress objects.

func NewIngressDiscoverer 

func NewIngressDiscoverer(client kubernetes.Interface, opts ...func(*IngressDiscoverer)) *IngressDiscoverer

NewIngressDiscoverer creates a discoverer that extracts TLS secrets from Ingress specs.

func (*IngressDiscoverer) Discover 

func (d *IngressDiscoverer) Discover() ([]store.CertFinding, error)

Discover lists Ingresses, dereferences their TLS secret references, and parses the certificates found in those secrets.

func (*IngressDiscoverer) Name 

func (d *IngressDiscoverer) Name() string

Name returns the discoverer label.

type IstioDiscoverer 

type IstioDiscoverer struct {
	// contains filtered or unexported fields
}

IstioDiscoverer finds Istio CA and root certificates.

func NewIstioDiscoverer 

func NewIstioDiscoverer(client kubernetes.Interface) *IstioDiscoverer

NewIstioDiscoverer creates a discoverer for Istio mesh CA material.

func (*IstioDiscoverer) Discover 

func (d *IstioDiscoverer) Discover() ([]store.CertFinding, error)

Discover checks for Istio presence and reads CA material from known locations. Returns nil findings (not an error) if Istio is not installed.

func (*IstioDiscoverer) Name 

func (d *IstioDiscoverer) Name() string

Name returns the discoverer label.

type LinkerdDiscoverer 

type LinkerdDiscoverer struct {
	// contains filtered or unexported fields
}

LinkerdDiscoverer finds Linkerd identity trust anchors and issuer certificates.

func NewLinkerdDiscoverer 

func NewLinkerdDiscoverer(client kubernetes.Interface) *LinkerdDiscoverer

NewLinkerdDiscoverer creates a discoverer for Linkerd mesh identity material.

func (*LinkerdDiscoverer) Discover 

func (d *LinkerdDiscoverer) Discover() ([]store.CertFinding, error)

Discover checks for Linkerd presence and reads trust anchors and issuer cert. Returns nil findings (not an error) if Linkerd is not installed.

func (*LinkerdDiscoverer) Name 

func (d *LinkerdDiscoverer) Name() string

Name returns the discoverer label.

type Orchestrator 

type Orchestrator struct {
	// contains filtered or unexported fields
}

Orchestrator runs all discoverers concurrently and classifies findings.

func NewOrchestrator 

func NewOrchestrator(discoverers []Discoverer, warnBefore, critBefore time.Duration, opts ...OrchestratorOption) *Orchestrator

NewOrchestrator creates an orchestrator with the given thresholds.

func (*Orchestrator) Run 

func (o *Orchestrator) Run(ctx context.Context) store.Snapshot

Run executes all discoverers concurrently and returns a classified snapshot. Individual discoverer failures are logged but do not abort the run. If ctx is canceled, in-flight discoverers that haven't returned are recorded as errors.

type OrchestratorOption added in v0.2.0 

type OrchestratorOption func(*Orchestrator)

OrchestratorOption configures an Orchestrator.

func WithCTCheck added in v0.3.0 

func WithCTCheck(domains, allowedIssuers []string, client *ct.Client) OrchestratorOption

WithCTCheck enables Certificate Transparency log monitoring for the given domains.

func WithCheckRevocation added in v0.3.0 

func WithCheckRevocation(cache *revocation.CRLCache) OrchestratorOption

WithCheckRevocation enables OCSP/CRL revocation checking using the given cache.

func WithDiscoverTimer added in v0.3.0 

func WithDiscoverTimer(fn func(string, time.Duration)) OrchestratorOption

WithDiscoverTimer sets a callback invoked after each discoverer completes with its name and duration.

func WithDriftDetection added in v0.3.0 

func WithDriftDetection(prev *store.Snapshot) OrchestratorOption

WithDriftDetection enables certificate drift detection by comparing against a previous snapshot.

func WithPolicies added in v0.2.0 

func WithPolicies(policies []policy.TrustPolicy) OrchestratorOption

WithPolicies adds TrustPolicy CRs for policy engine evaluation.

func WithTracer added in v0.2.0 

func WithTracer(t trace.Tracer) OrchestratorOption

WithTracer sets the OpenTelemetry tracer for discovery spans.

type SPIFFEDiscoverer added in v0.2.0 

type SPIFFEDiscoverer struct {
	// contains filtered or unexported fields
}

SPIFFEDiscoverer probes SPIRE trust bundles for expiring root CAs.

func NewSPIFFEDiscoverer added in v0.2.0 

func NewSPIFFEDiscoverer(socketPath string, opts ...func(*SPIFFEDiscoverer)) *SPIFFEDiscoverer

NewSPIFFEDiscoverer creates a discoverer that connects to the SPIFFE workload API via the given Unix socket path.

func (*SPIFFEDiscoverer) Discover added in v0.2.0 

func (d *SPIFFEDiscoverer) Discover() ([]store.CertFinding, error)

Discover connects to the SPIFFE workload API and returns findings for each root CA.

func (*SPIFFEDiscoverer) Name added in v0.2.0 

func (d *SPIFFEDiscoverer) Name() string

Name returns the discoverer label.

type SecretDiscoverer 

type SecretDiscoverer struct {
	// contains filtered or unexported fields
}

SecretDiscoverer inventories TLS certificates stored in kubernetes.io/tls Secrets.

func NewSecretDiscoverer 

func NewSecretDiscoverer(client kubernetes.Interface, opts ...func(*SecretDiscoverer)) *SecretDiscoverer

NewSecretDiscoverer creates a discoverer that parses TLS Secrets for certificate metadata.

func (*SecretDiscoverer) Discover 

func (d *SecretDiscoverer) Discover() ([]store.CertFinding, error)

Discover lists TLS Secrets and parses their leaf certificates.

func (*SecretDiscoverer) Name 

func (d *SecretDiscoverer) Name() string

Name returns the discoverer label.

type WebhookDiscoverer 

type WebhookDiscoverer struct {
	// contains filtered or unexported fields
}

WebhookDiscoverer finds TLS certificates on admission webhook endpoints.

func NewWebhookDiscoverer 

func NewWebhookDiscoverer(client kubernetes.Interface, opts ...func(*WebhookDiscoverer)) *WebhookDiscoverer

NewWebhookDiscoverer creates a discoverer that checks ValidatingWebhookConfigurations and MutatingWebhookConfigurations for expiring TLS certificates.

func (*WebhookDiscoverer) Discover 

func (d *WebhookDiscoverer) Discover() ([]store.CertFinding, error)

Discover lists all admission webhooks and probes their service endpoints.

func (*WebhookDiscoverer) Name 

func (d *WebhookDiscoverer) Name() string

Name returns the discoverer label.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.