From: Tom Hughes <tom@compton.nu>
Date: Tue, 9 Feb 2021 19:39:00 +0000 (+0000)
Subject: Enable ssl_exporter to monitor SSL certificates
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/dab49e324ed9791aa28e09d97b4023a8a398cb06?ds=sidebyside

Enable ssl_exporter to monitor SSL certificates
---

diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb
index 41d508a72..d21227ee8 100644
--- a/cookbooks/prometheus/recipes/server.rb
+++ b/cookbooks/prometheus/recipes/server.rb
@@ -148,8 +148,6 @@ service "promscale-maintenance.timer" do
   action [:enable, :start]
 end
 
-jobs = {}
-
 search(:node, "roles:gateway") do |gateway|
   allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
     "#{interface[:network]}/#{interface[:prefix]}"
@@ -162,6 +160,8 @@ search(:node, "roles:gateway") do |gateway|
   }
 end
 
+jobs = {}
+
 search(:node, "recipes:prometheus\\:\\:default").sort_by(&:name).each do |client|
   if client[:prometheus][:mode] == "wireguard"
     node.default[:networking][:wireguard][:peers] << {
@@ -191,6 +191,32 @@ search(:node, "recipes:prometheus\\:\\:default").sort_by(&:name).each do |client
   end
 end
 
+certificates = search(:node, "letsencrypt:certificates").each_with_object({}) do |n, c|
+  n[:letsencrypt][:certificates].each do |name, details|
+    c[name] ||= details.merge(:nodes => [])
+
+    c[name][:nodes] << {
+      :name => n[:fqdn],
+      :address => n.external_ipaddress || n.internal_ipaddress
+    }
+  end
+end
+
+template "/etc/prometheus/ssl.yml" do
+  source "ssl.yml.erb"
+  owner "root"
+  group "root"
+  mode "644"
+  variables :certificates => certificates
+end
+
+prometheus_exporter "ssl" do
+  address "127.0.0.1"
+  port 9219
+  options "--config.file=/etc/prometheus/ssl.yml"
+  register_target false
+end
+
 template "/etc/default/prometheus" do
   source "default.prometheus.erb"
   owner "root"
@@ -203,7 +229,7 @@ template "/etc/prometheus/prometheus.yml" do
   owner "root"
   group "root"
   mode "644"
-  variables :jobs => jobs
+  variables :jobs => jobs, :certificates => certificates
 end
 
 template "/etc/prometheus/alert_rules.yml" do
diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb
index b56cbf789..5eca43f5c 100644
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -20,6 +20,7 @@
 default_action :create
 
 property :exporter, :kind_of => String, :name_property => true
+property :address, :kind_of => String
 property :port, :kind_of => Integer, :required => [:create]
 property :listen_switch, :kind_of => String, :default => "web.listen-address"
 property :listen_type, :kind_of => String, :default => "address"
@@ -29,6 +30,7 @@ property :options, :kind_of => [String, Array]
 property :environment, :kind_of => Hash, :default => {}
 property :service, :kind_of => String
 property :metric_relabel, :kind_of => Array
+property :register_target, :kind_of => [TrueClass, FalseClass], :default => true
 
 action :create do
   systemd_service service_name do
@@ -57,11 +59,13 @@ action :create do
     only_if { node[:prometheus][:mode] == "external" }
   end
 
-  node.default[:prometheus][:exporters][new_resource.port] = {
-    :name => new_resource.exporter,
-    :address => listen_address,
-    :metric_relabel => new_resource.metric_relabel
-  }
+  if new_resource.register_target
+    node.default[:prometheus][:exporters][new_resource.port] = {
+      :name => new_resource.exporter,
+      :address => listen_address,
+      :metric_relabel => new_resource.metric_relabel
+    }
+  end
 end
 
 action :delete do
@@ -105,7 +109,9 @@ action_class do
   end
 
   def listen_address
-    if node[:prometheus][:mode] == "wireguard"
+    if new_resource.address
+      "#{new_resource.address}:#{new_resource.port}"
+    elsif node[:prometheus][:mode] == "wireguard"
       "[#{node[:prometheus][:address]}]:#{new_resource.port}"
     else
       "#{node[:prometheus][:address]}:#{new_resource.port}"
diff --git a/cookbooks/prometheus/templates/default/prometheus.yml.erb b/cookbooks/prometheus/templates/default/prometheus.yml.erb
index 281447f0a..6e28106cb 100644
--- a/cookbooks/prometheus/templates/default/prometheus.yml.erb
+++ b/cookbooks/prometheus/templates/default/prometheus.yml.erb
@@ -27,6 +27,28 @@ scrape_configs:
     static_configs:
       - targets:
           - localhost:9093
+  - job_name: ssl
+    scrape_interval: 15m
+    metrics_path: /probe
+    static_configs:
+      - targets:
+<% @certificates.values.sort_by { |c| c[:domains].first }.each do |certificate| -%>
+<% certificate[:nodes].sort_by { |h| h[:name] }.each do |host| -%>
+          - <%= certificate[:domains].first %>/<%= host[:name] %>:443
+<% end -%>
+<% end -%>
+    relabel_configs:
+      - source_labels: [__address__]
+        regex: "([^/]+)/.*"
+        target_label: __param_module
+      - source_labels: [__address__]
+        regex: "[^/]+/(.*)"
+        target_label: __param_target
+      - source_labels: [__param_target]
+        regex: "([^.]+)\\..*"
+        target_label: instance
+      - target_label: __address__
+        replacement: 127.0.0.1:9219
 <% @jobs.sort.each do |name, targets| -%>
   - job_name: <%= name %>
     static_configs:
diff --git a/cookbooks/prometheus/templates/default/ssl.yml.erb b/cookbooks/prometheus/templates/default/ssl.yml.erb
new file mode 100644
index 000000000..be622f41c
--- /dev/null
+++ b/cookbooks/prometheus/templates/default/ssl.yml.erb
@@ -0,0 +1,7 @@
+modules:
+<% @certificates.values.sort_by { |c| c[:domains].first }.each do |certificate| -%>
+  <%= certificate[:domains].first %>:
+    prober: tcp
+    tls_config:
+      server_name: <%= certificate[:domains].first %>
+<% end -%>