Merge pull request #7 from ripple/dmw/ins-789

INS-789: Add flags to support monitoring vault-pki
ripple · Feb 7, 2019 · a531280 · a531280
2 parents e0648ad + be84179
commit a531280
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 10 deletions.
diff --git a/cert/files/vault_pki.py b/cert/files/vault_pki.py
@@ -346,6 +346,19 @@ def create_new_version_dir(version_base_dirs, mode, owner_uid, group_gid):
     return new_version_str
 
 
+def get_cert_validity_period(cert_path):
+    """For a certificate returns the start and end of its validity period.
+
+    Returns a tuple of datetime.datetime (start, end) to indicate the
+    validity period of the certificate.
+    """
+    with open(cert_path, 'r') as certfile:
+        cert = x509.load_pem_x509_certificate(
+            six.b(certfile.read()),
+            default_backend())
+    return (cert.not_valid_before, cert.not_valid_after)
+
+
 def new_cert_needed(cert_path, refresh_at=0.5):
     """True if a cert is past the percentile through it's validity period.
 
@@ -358,11 +371,8 @@ def new_cert_needed(cert_path, refresh_at=0.5):
         get_new_cert = True
         logger.info('Cert status: missing.')
     else:
-        with open(cert_path, 'r') as certfile:
-            cert = x509.load_pem_x509_certificate(
-                six.b(certfile.read()),
-                default_backend())
-        validity_period = cert.not_valid_after - cert.not_valid_before
+        not_valid_before, not_valid_after = get_cert_validity_period(cert_path)
+        validity_period = not_valid_after - not_valid_before
         refresh_offset = datetime.timedelta(
             seconds=validity_period.total_seconds() * refresh_at
         )
@@ -692,13 +702,20 @@ def list_main(args):
     archive_dir = ARCHIVE_DIR.format(**format_settings)
     key_dir = KEY_DIR.format(**format_settings)
     live_dir = LIVE_DIR.format(**format_settings)
+    cert_path = os.path.join(live_dir, CERT_FILENAME)
 
     current_version = _get_current_version(live_dir)
-    for version in sorted(get_version_dirs([archive_dir, key_dir])):
-        if version == current_version:
-            print('{} *'.format(version))
-        else:
-            print(version)
+    if args.active:
+        print(current_version)
+    elif args.expiration:
+        _, not_valid_after = get_cert_validity_period(cert_path)
+        print(not_valid_after.strftime('%s'))
+    else:
+        for version in sorted(get_version_dirs([archive_dir, key_dir])):
+            if version == current_version:
+                print('{} *'.format(version))
+            else:
+                print(version)
 
 
 def setup_logger(logger, interactive=False, default_level=logging.INFO):
@@ -724,6 +741,10 @@ def main():
     parser_checkgen.set_defaults(main_func=checkgen_main)
 
     parser_list = sub_parsers.add_parser('list', help='list help')
+    parser_list.add_argument('--active', action='store_true',
+                             help='List only the active cert version.')
+    parser_list.add_argument('--expiration', action='store_true',
+                             help='Show expiration of the active cert.')
     parser_list.set_defaults(main_func=list_main)
 
     parser_activate = sub_parsers.add_parser('activate', help='activate help')

diff --git a/examples/monitoring.md b/examples/monitoring.md
@@ -0,0 +1,40 @@
+# Monitoring Vault-PKI
+
+## Dead simple Prometheus monitoring
+
+This is dependent on your hosts running the node_exporter and then using it
+to export metrics on behalf of Vault-PKI runs.
+
+For more info on how to configure the node_exporter to pick-up a directory
+full of text file metrics of your choice see:
+
+- [Node Exporter - Textfile Collector](https://github.com/prometheus/node_exporter#textfile-collector)
+- [Prometheus Exposition Formats](https://prometheus.io/docs/instrumenting/exposition_formats/)
+
+As part of your node_exporter formula create a directory, say
+`/etc/prometheus.d` and create a Vault-PKI post-activate script like so:
+
+```bash
+#!/bin/bash
+
+VERSION=$(vault_pki list --active)
+UPDATED=$(date +%s)
+EXPIRATION=$(vault_pki list --expiration)
+
+cat > /etc/prometheus.d/vault_pki.prom << EOF
+# Current vault_pki cert version
+# TYPE node_vault_pki_version gauge
+node_vault_pki_version ${VERSION}
+
+# Last time vault_pki activate was run
+# TYPE node_vault_pki_last_update gauge
+node_vault_pki_last_update ${UPDATED}
+
+# Time of expiration of currently active certificate
+# TYPE node_vault_pki_cert_expiration gauge
+node_vault_pki_cert_expiration ${EXPIRATION}
+EOF
+```
+
+Now everytime Vault-PKI gets a newly activated version metrics on
+your hosts will be updated.