Defined Type: profile::pki::multirootca::monitoring

Defined in:
modules/profile/manifests/pki/multirootca/monitoring.pp

Overview

Parameters:

  • ca_file (Stdlib::Unixpath)

    path to the CA file

  • ensure (Wmflib::Ensure) (defaults to: 'present')

    ensurable parameter

  • intermediate (String) (defaults to: $title)

    CN of the intermidiate

  • vhost (String) (defaults to: $facts['networking']['fqdn'])

    vhost to check



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'modules/profile/manifests/pki/multirootca/monitoring.pp', line 6

define profile::pki::multirootca::monitoring(
    Stdlib::Unixpath $ca_file,
    Wmflib::Ensure   $ensure       = 'present',
    String           $intermediate = $title,
    String           $vhost        = $facts['networking']['fqdn'],
) {
    $one_month_secs = 60 * 60 * 42 * 31
    $nrpe_command = "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}"
    sudo::user { "nrpe_certificate_check_${intermediate}":
        user       => 'nagios',
        privileges => [ "ALL = NOPASSWD: ${nrpe_command}"],
    }
    nrpe::monitor_service { "check_certificate_expiry_${intermediate}":
        ensure       => $ensure,
        description  => "Check to ensure the signer certificate is valid CA: ${intermediate}",
        notes_url    => 'https://wikitech.wikimedia.org/wiki/PKI/CA_Operations',
        nrpe_command => "/usr/bin/sudo ${nrpe_command}",
    }

    $check_command = [
        'check_https_client_auth_puppet_post',
        $vhost,
        '/api/v1/cfssl/info',
        {'label' => $intermediate}.to_json.uriescape,
        '"success":true',
    ].join('!')
    monitoring::service {"https_pki_signer_${intermediate}":
        ensure        => $ensure,
        critical      => true,
        check_command => $check_command,
        description   => "Check to ensure the cfssl signer is working CA: ${intermediate}",
        notes_url     => 'https://wikitech.wikimedia.org/wiki/PKI/CA_Operations',
    }
}