From 807feef17681af7a8a90c9063c2afcf31a1fad30 Mon Sep 17 00:00:00 2001
From: Romain <rtribotte@users.noreply.github.com>
Date: Thu, 23 Feb 2023 16:14:06 +0100
Subject: [PATCH] Include user-defined default cert for
 traefik_tls_certs_not_after metric

Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>
---
 cmd/traefik/traefik.go |  2 +-
 pkg/tls/tlsmanager.go  | 41 ++++++++++++++++++++++++++++++-----------
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go
index ca685d575..c0e78d6eb 100644
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -278,7 +278,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
 
 		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
-		for _, certificate := range tlsManager.GetCertificates() {
+		for _, certificate := range tlsManager.GetServerCertificates() {
 			appendCertMetric(gauge, certificate)
 		}
 	})
diff --git a/pkg/tls/tlsmanager.go b/pkg/tls/tlsmanager.go
index 91fd6402f..fb2be8efe 100644
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@@ -223,24 +223,43 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 	return tlsConfig, err
 }
 
-// GetCertificates returns all stored certificates.
-func (m *Manager) GetCertificates() []*x509.Certificate {
+// GetServerCertificates returns all certificates from the default store,
+// as well as the user-defined default certificate (if it exists).
+func (m *Manager) GetServerCertificates() []*x509.Certificate {
 	var certificates []*x509.Certificate
 
-	// We iterate over all the certificates.
-	for _, store := range m.stores {
-		if store.DynamicCerts != nil && store.DynamicCerts.Get() != nil {
-			for _, cert := range store.DynamicCerts.Get().(map[string]*tls.Certificate) {
-				x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-				if err != nil {
-					continue
-				}
+	// The default store is the only relevant, because it is the only one configurable.
+	defaultStore, ok := m.stores[DefaultTLSStoreName]
+	if !ok || defaultStore == nil {
+		return certificates
+	}
 
-				certificates = append(certificates, x509Cert)
+	// We iterate over all the certificates.
+	if defaultStore.DynamicCerts != nil && defaultStore.DynamicCerts.Get() != nil {
+		for _, cert := range defaultStore.DynamicCerts.Get().(map[string]*tls.Certificate) {
+			x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+			if err != nil {
+				continue
 			}
+
+			certificates = append(certificates, x509Cert)
 		}
 	}
 
+	if defaultStore.DefaultCertificate != nil {
+		x509Cert, err := x509.ParseCertificate(defaultStore.DefaultCertificate.Certificate[0])
+		if err != nil {
+			return certificates
+		}
+
+		// Excluding the generated Traefik default certificate.
+		if x509Cert.Subject.CommonName == generate.DefaultDomain {
+			return certificates
+		}
+
+		certificates = append(certificates, x509Cert)
+	}
+
 	return certificates
 }