Defined Type: profile::pki::multirootca::monitoring

Defined in:
modules/profile/manifests/pki/multirootca/monitoring.pp

Overview

Parameters:

  • ca_file (Stdlib::Unixpath)

    path to the CA file

  • ensure (Wmflib::Ensure) (defaults to: 'present')

    ensurable parameter

  • intermediate (String) (defaults to: $title)

    CN of the intermidiate

  • vhost (String) (defaults to: $facts['networking']['fqdn'])

    vhost to check



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'modules/profile/manifests/pki/multirootca/monitoring.pp', line 6

define profile::pki::multirootca::monitoring(
    Stdlib::Unixpath $ca_file,
    Wmflib::Ensure   $ensure       = 'present',
    String           $intermediate = $title,
    String           $vhost        = $facts['networking']['fqdn'],
) {
    $one_month_secs = 60 * 60 * 42 * 31
    $nrpe_command = "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}"
    sudo::user { "nrpe_certificate_check_${intermediate}":
        ensure => absent,
    }
    nrpe::monitor_service { "check_certificate_expiry_${intermediate}":
        ensure       => $ensure,
        description  => "Check to ensure the signer certificate is valid CA: ${intermediate}",
        notes_url    => 'https://wikitech.wikimedia.org/wiki/PKI/CA_Operations',
        nrpe_command => "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}",
        sudo_user    => 'root',
    }

    $check_command = [
        'check_https_client_auth_puppet_post',
        $vhost,
        '/api/v1/cfssl/info',
        # Triple escape.  We have to first escape for puppet so the nagios command definition
        # escapes the forward slash.  i.e. the command definitions should be
        # {\\"label\\":\\"$intermediate}\\"
        "{\\\\\"label\\\\\":\\\\\"${intermediate}\\\\\"}",
        '\\\\"success\\\\":true',
    ].join('!')
    monitoring::service {"https_pki_signer_${intermediate}":
        ensure        => $ensure,
        critical      => true,
        check_command => $check_command,
        description   => "Check to ensure the cfssl signer is working CA: ${intermediate}",
        notes_url     => 'https://wikitech.wikimedia.org/wiki/PKI/CA_Operations',
    }
}