[receiver/tlscheck] Add File-Based Certificate Checks (#38924)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description
This PR adds certificate checks for certs stored locally on disk. It
only covers the case of PEM encoded certificate files.

<!-- Issue number (e.g. #1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
[Fixes
38906](#38906)

<!--Describe what testing was performed and which tests were added.-->
#### Testing
Tests were added for file-based certs

<!--Describe the documentation added.-->
#### Documentation
Documentation has been added to the README

Author: michael-burt

.chloggen/tlscheckreceiver-add-certfile-checks.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: breaking
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: tlscheckreceiver
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add file-based TLS certificate checks
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [38906]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

receiver/tlscheckreceiver/README.md

@@ -20,19 +20,22 @@ By default, the TLS Check Receiver will emit a single metric, `tlscheck.time_lef
 
 ## Example Configuration
 
-Targets are 
+Targets are configured as either remote enpoints accessed via TCP, or PEM-encoded certificate files stored locally on disk.
 
 ```yaml
 receivers:
   tlscheck:
     targets:
+      # Monitor a local PEM file
+      - file_path: /etc/istio/certs/cert-chain.pem
+      
+      # Monitor a remote endpoint
       - endpoint: example.com:443
+      
+      # Monitor a local service with a custom timeout
+      - endpoint: localhost:10901
         dialer: 
           timeout: 15s
-      - endpoint: foobar.com:8080
-        dialer: 
-          timeout: 15s
-      - endpoint: localhost:10901
 ```
 
 ## Certificate Verification

receiver/tlscheckreceiver/config.go

@@ -7,6 +7,8 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -20,11 +22,18 @@ import (
 // Predefined error responses for configuration validation failures
 var errInvalidEndpoint = errors.New(`"endpoint" must be in the form of <hostname>:<port>`)
 
+// CertificateTarget represents a target for certificate checking, which can be either
+// a network endpoint or a local file
+type CertificateTarget struct {
+	confignet.TCPAddrConfig `mapstructure:",squash"`
+	FilePath                string `mapstructure:"file_path"`
+}
+
 // Config defines the configuration for the various elements of the receiver agent.
 type Config struct {
 	scraperhelper.ControllerConfig `mapstructure:",squash"`
 	metadata.MetricsBuilderConfig  `mapstructure:",squash"`
-	Targets                        []*confignet.TCPAddrConfig `mapstructure:"targets"`
+	Targets                        []*CertificateTarget `mapstructure:"targets"`
 }
 
 func validatePort(port string) error {
@@ -38,28 +47,67 @@ func validatePort(port string) error {
 	return nil
 }
 
-func validateTarget(cfg *confignet.TCPAddrConfig) error {
-	var err error
-
-	if cfg.Endpoint == "" {
-		return errMissingTargets
+func validateTarget(ct *CertificateTarget) error {
+	// Check that exactly one of endpoint or file_path is specified
+	if ct.Endpoint != "" && ct.FilePath != "" {
+		return fmt.Errorf("cannot specify both endpoint and file_path")
 	}
-
-	if strings.Contains(cfg.Endpoint, "://") {
-		return fmt.Errorf("endpoint contains a scheme, which is not allowed: %s", cfg.Endpoint)
+	if ct.Endpoint == "" && ct.FilePath == "" {
+		return fmt.Errorf("must specify either endpoint or file_path")
 	}
 
-	_, port, parseErr := net.SplitHostPort(cfg.Endpoint)
-	if parseErr != nil {
-		return fmt.Errorf("%s: %w", errInvalidEndpoint.Error(), parseErr)
+	// Validate endpoint if specified
+	if ct.Endpoint != "" {
+		if strings.Contains(ct.Endpoint, "://") {
+			return fmt.Errorf("endpoint contains a scheme, which is not allowed: %s", ct.Endpoint)
+		}
+
+		_, port, err := net.SplitHostPort(ct.Endpoint)
+		if err != nil {
+			return fmt.Errorf("%s: %w", errInvalidEndpoint.Error(), err)
+		}
+
+		if err := validatePort(port); err != nil {
+			return fmt.Errorf("%s: %w", errInvalidEndpoint.Error(), err)
+		}
 	}
 
-	portParseErr := validatePort(port)
-	if portParseErr != nil {
-		return fmt.Errorf("%s: %w", errInvalidEndpoint.Error(), portParseErr)
+	// Validate file path if specified
+	if ct.FilePath != "" {
+		// Clean the path to handle different path separators
+		cleanPath := filepath.Clean(ct.FilePath)
+
+		// Check if the path is absolute
+		if !filepath.IsAbs(cleanPath) {
+			return fmt.Errorf("file path must be absolute: %s", ct.FilePath)
+		}
+
+		// Check if path exists and is a regular file
+		fileInfo, err := os.Stat(cleanPath)
+		if err != nil {
+			if os.IsNotExist(err) {
+				return fmt.Errorf("certificate file does not exist: %s", ct.FilePath)
+			}
+			return fmt.Errorf("error accessing certificate file %s: %w", ct.FilePath, err)
+		}
+
+		// check if it is a directory
+		if fileInfo.IsDir() {
+			return fmt.Errorf("path is a directory, not a file: %s", cleanPath)
+		}
+
+		// Check if it's a regular file (not a directory or special file)
+		if !fileInfo.Mode().IsRegular() {
+			return fmt.Errorf("certificate path is not a regular file: %s", ct.FilePath)
+		}
+
+		// Check if file is readable
+		if _, err := os.ReadFile(cleanPath); err != nil {
+			return fmt.Errorf("certificate file is not readable: %s", ct.FilePath)
+		}
 	}
 
-	return err
+	return nil
 }
 
 func (cfg *Config) Validate() error {

receiver/tlscheckreceiver/config_test.go

@@ -5,6 +5,8 @@ package tlscheckreceiver // import "github.com/open-telemetry/opentelemetry-coll
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -14,6 +16,17 @@ import (
 )
 
 func TestValidate(t *testing.T) {
+	// Create a temporary certificate file for testing
+	tmpFile, err := os.CreateTemp(t.TempDir(), "test-cert-*.pem")
+	require.NoError(t, err)
+
+	// Create a temporary directory for testing
+	tmpDir := t.TempDir()
+	t.Cleanup(func() {
+		tmpFile.Close()
+		os.RemoveAll(tmpDir)
+	})
+
 	testCases := []struct {
 		desc        string
 		cfg         *Config
@@ -22,99 +35,163 @@ func TestValidate(t *testing.T) {
 		{
 			desc: "missing targets",
 			cfg: &Config{
-				Targets:          []*confignet.TCPAddrConfig{},
+				Targets:          []*CertificateTarget{},
 				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
 			},
 			expectedErr: errMissingTargets,
 		},
 		{
-			desc: "invalid endpoint",
+			desc: "valid endpoint config",
 			cfg: &Config{
-				Targets: []*confignet.TCPAddrConfig{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "bad-endpoint:  12efg",
-						DialerConfig: confignet.DialerConfig{
-							Timeout: 12 * time.Second,
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "opentelemetry.io:443",
+							DialerConfig: confignet.DialerConfig{
+								Timeout: 3 * time.Second,
+							},
+						},
+					},
+					{
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "opentelemetry.io:8080",
 						},
 					},
 				},
 				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
 			},
-			expectedErr: fmt.Errorf("%w: %s", errInvalidEndpoint, "provided port is not a number:   12efg"),
+			expectedErr: nil,
 		},
 		{
-			desc: "invalid config with multiple targets",
+			desc: "valid file path config",
 			cfg: &Config{
-				Targets: []*confignet.TCPAddrConfig{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "endpoint:  12efg",
+						FilePath: tmpFile.Name(),
 					},
+				},
+				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
+			},
+			expectedErr: nil,
+		},
+		{
+			desc: "mixed valid config",
+			cfg: &Config{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "https://example.com:80",
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "opentelemetry.io:443",
+						},
+					},
+					{
+						FilePath: tmpFile.Name(),
 					},
 				},
 				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
 			},
-			expectedErr: fmt.Errorf("%w: %s", errInvalidEndpoint, `provided port is not a number:   12efg; endpoint contains a scheme, which is not allowed: https://example.com:80`),
+			expectedErr: nil,
 		},
 		{
-			desc: "port out of range",
+			desc: "invalid endpoint",
 			cfg: &Config{
-				Targets: []*confignet.TCPAddrConfig{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "www.opentelemetry.io:67000",
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "bad-endpoint:12efg",
+						},
 					},
 				},
 				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
 			},
-			expectedErr: fmt.Errorf("%w: %s", errInvalidEndpoint, `provided port is out of valid range (1-65535): 67000`),
+			expectedErr: fmt.Errorf("%w: provided port is not a number: 12efg", errInvalidEndpoint),
 		},
 		{
-			desc: "missing port",
+			desc: "endpoint with scheme",
 			cfg: &Config{
-				Targets: []*confignet.TCPAddrConfig{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "www.opentelemetry.io/docs",
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "https://example.com:443",
+						},
 					},
 				},
 				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
 			},
-			expectedErr: fmt.Errorf("%w: %s", errInvalidEndpoint, `address www.opentelemetry.io/docs: missing port in address`),
+			expectedErr: fmt.Errorf("endpoint contains a scheme, which is not allowed: https://example.com:443"),
 		},
 		{
-			desc: "valid config",
+			desc: "both endpoint and file path",
 			cfg: &Config{
-				Targets: []*confignet.TCPAddrConfig{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "opentelemetry.io:443",
-						DialerConfig: confignet.DialerConfig{
-							Timeout: 3 * time.Second,
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "example.com:443",
 						},
+						FilePath: tmpFile.Name(),
 					},
+				},
+				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
+			},
+			expectedErr: fmt.Errorf("cannot specify both endpoint and file_path"),
+		},
+		{
+			desc: "relative file path",
+			cfg: &Config{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "opentelemetry.io:8080",
-						DialerConfig: confignet.DialerConfig{
-							Timeout: 1 * time.Second,
-						},
+						FilePath: "cert.pem",
+					},
+				},
+				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
+			},
+			expectedErr: fmt.Errorf("file path must be absolute: cert.pem"),
+		},
+		{
+			desc: "nonexistent file",
+			cfg: &Config{
+				Targets: []*CertificateTarget{
+					{
+						FilePath: filepath.Join(tmpDir, "nonexistent.pem"),
+					},
+				},
+				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
+			},
+			expectedErr: fmt.Errorf("certificate file does not exist"),
+		},
+		{
+			desc: "directory instead of file",
+			cfg: &Config{
+				Targets: []*CertificateTarget{
+					{
+						FilePath: tmpDir,
 					},
+				},
+				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
+			},
+			expectedErr: fmt.Errorf("path is a directory, not a file: %s", tmpDir),
+		},
+		{
+			desc: "port out of range",
+			cfg: &Config{
+				Targets: []*CertificateTarget{
 					{
-						Endpoint: "111.222.33.44:10000",
-						DialerConfig: confignet.DialerConfig{
-							Timeout: 5 * time.Second,
+						TCPAddrConfig: confignet.TCPAddrConfig{
+							Endpoint: "example.com:67000",
 						},
 					},
 				},
 				ControllerConfig: scraperhelper.NewDefaultControllerConfig(),
 			},
-			expectedErr: nil,
+			expectedErr: fmt.Errorf("%w: provided port is out of valid range (1-65535): 67000", errInvalidEndpoint),
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
 			actualErr := tc.cfg.Validate()
 			if tc.expectedErr != nil {
-				require.EqualError(t, actualErr, tc.expectedErr.Error())
+				require.Error(t, actualErr)
+				require.Contains(t, actualErr.Error(), tc.expectedErr.Error())
 			} else {
 				require.NoError(t, actualErr)
 			}

receiver/tlscheckreceiver/documentation.md

@@ -32,4 +32,4 @@ Time in seconds until certificate expiry, as specified by `NotAfter` field in th
 
 | Name | Description | Values | Enabled |
 | ---- | ----------- | ------ | ------- |
-| tlscheck.endpoint | Endpoint at which the certificate was accessed. | Any Str | true |
+| tlscheck.target | Endpoint or file path at which the certificate was accessed. | Any Str | true |