Defined Type: profile::pki::multirootca::monitoring

Defined in:
modules/profile/manifests/pki/multirootca/monitoring.pp

Summary

configure monitoring for the multirootca profile

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ca_file (Stdlib::Unixpath)

    path to the CA file

  • ensure (Wmflib::Ensure) (defaults to: 'present')

    ensurable parameter

  • intermediate (String) (defaults to: $title)

    CN of the intermidiate

  • vhost (String) (defaults to: $facts['networking']['fqdn'])

    vhost to check



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'modules/profile/manifests/pki/multirootca/monitoring.pp', line 7

define profile::pki::multirootca::monitoring (
    Stdlib::Unixpath $ca_file,
    Wmflib::Ensure   $ensure       = 'present',
    String           $intermediate = $title,
    String           $vhost        = $facts['networking']['fqdn'],
) {
    $one_month_secs = 60 * 60 * 42 * 31
    $nrpe_command = "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}"
    sudo::user { "nrpe_certificate_check_${intermediate}":
        ensure => absent,
    }
    nrpe::monitor_service { "check_certificate_expiry_${intermediate}":
        ensure       => $ensure,
        description  => "Check to ensure the signer certificate is valid CA: ${intermediate}",
        notes_url    => 'https://wikitech.wikimedia.org/wiki/PKI/CA_Operations',
        nrpe_command => "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}",
        sudo_user    => 'root',
    }

    # Note: this script requires python3-cryptography
    # and prometheus-client but the packages
    # are already defined and required by other classes, like cfssl::ocsp.
    # If this define's ensure is set to absent (like in cloud), then puppet
    # will try to remove the packages ending up in conflicts with other
    # requests for the packages.
    # To workaround this problem, simply ensure that the packages are deployed
    # rather than delegate prometheus::node_textfile to manage their state.
    ensure_packages([
      'python3-cryptography',
      'python3-prometheus-client'])
    prometheus::node_textfile { "prometheus-check-${title}-certificate-expiry":
        ensure         =>  $ensure,
        filesource     => 'puppet:///modules/prometheus/check_certificate_expiry.py',
        interval       => 'daily',
        run_cmd        => "/usr/local/bin/prometheus-check-${title}-certificate-expiry --cert-path ${ca_file} --outfile /var/lib/prometheus/node.d/${title}_intermediate.prom",
        extra_packages => [],
        require        => Package[
          'python3-cryptography',
          'python3-prometheus-client'
        ],
    }

    prometheus::blackbox::check::http { "PKI_${title}":
        server_name        => $vhost,
        use_client_auth    => true,
        path               => '/api/v1/cfssl/info',
        method             => 'POST',
        body_raw           => { 'label' => $intermediate }.to_json,
        body_regex_matches => ['"success":true'],
    }
}