Defined Type: profile::pki::multirootca::monitoring
- Defined in:
- modules/profile/manifests/pki/multirootca/monitoring.pp
Summary
configure monitoring for the multirootca profileOverview
SPDX-License-Identifier: Apache-2.0
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
# File 'modules/profile/manifests/pki/multirootca/monitoring.pp', line 7
define profile::pki::multirootca::monitoring (
Stdlib::Unixpath $ca_file,
Wmflib::Ensure $ensure = 'present',
String $intermediate = $title,
String $vhost = $facts['networking']['fqdn'],
) {
$one_month_secs = 60 * 60 * 42 * 31
$nrpe_command = "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}"
sudo::user { "nrpe_certificate_check_${intermediate}":
ensure => absent,
}
nrpe::monitor_service { "check_certificate_expiry_${intermediate}":
ensure => $ensure,
description => "Check to ensure the signer certificate is valid CA: ${intermediate}",
notes_url => 'https://wikitech.wikimedia.org/wiki/PKI/CA_Operations',
nrpe_command => "/usr/bin/openssl x509 -checkend ${one_month_secs} -in ${ca_file}",
sudo_user => 'root',
}
# Note: this script requires python3-cryptography
# and prometheus-client but the packages
# are already defined and required by other classes, like cfssl::ocsp.
# If this define's ensure is set to absent (like in cloud), then puppet
# will try to remove the packages ending up in conflicts with other
# requests for the packages.
# To workaround this problem, simply ensure that the packages are deployed
# rather than delegate prometheus::node_textfile to manage their state.
ensure_packages([
'python3-cryptography',
'python3-prometheus-client'])
prometheus::node_textfile { "prometheus-check-${title}-certificate-expiry":
ensure => $ensure,
filesource => 'puppet:///modules/prometheus/check_certificate_expiry.py',
interval => 'daily',
run_cmd => "/usr/local/bin/prometheus-check-${title}-certificate-expiry --cert-path ${ca_file} --outfile /var/lib/prometheus/node.d/${title}_intermediate.prom",
extra_packages => [],
require => Package[
'python3-cryptography',
'python3-prometheus-client'
],
}
prometheus::blackbox::check::http { "PKI_${title}":
server_name => $vhost,
use_client_auth => true,
path => '/api/v1/cfssl/info',
method => 'POST',
body_raw => { 'label' => $intermediate }.to_json,
body_regex_matches => ['"success":true'],
}
}
|