Skip to content

Commit

Permalink
fix: gen metrics for certs with same CN diff OUs (#29)
Browse files Browse the repository at this point in the history
fix: gen metrics for certs with same CN diff OUs
  • Loading branch information
wbollock authored Nov 19, 2024
2 parents 10c22e2 + f0bb680 commit 0d5f910
Show file tree
Hide file tree
Showing 12 changed files with 238 additions and 335 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
run: docker compose build

- name: Download venom
run: curl https://github.com/ovh/venom/releases/download/v1.1.0/venom.linux-amd64 -L -o /usr/local/bin/venom && chmod +x /usr/local/bin/venom
run: curl https://github.com/ovh/venom/releases/download/v1.2.0/venom.linux-amd64 -L -o /usr/local/bin/venom && chmod +x /usr/local/bin/venom

- name: Run test
run: venom run tests.yml
1 change: 1 addition & 0 deletions .tool-versions
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
venom 1.2.0
23 changes: 18 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# vault-pki-exporter

> Export PKI Certificate and CRL metrics base on dates
> Exports PKI Certificate and CRL metrics based on certificate metadata and dates
## Vault integration

Compatibility with all environment variable use by vault cli
Compatible with all environment variables used by vault cli.

Example:

Expand Down Expand Up @@ -43,9 +43,10 @@ Flags:
--prometheus Enable prometheus exporter, default if nothing else
--refresh-interval duration How many sec between metrics update (default 1m0s)
--batch-size-percent How large of a batch of certificates to get data for at once, supports floats (e.g 0.0 - 100.0) (default 1)
-v, --verbose Enable verbose
--log-level Set log level (options: info, warn, error, debug)
-v, --verbose (deprecated) Enable verbose logging. Defaults to debug level logging

Use " [command] --help" for more information about a command.
Use "[command] --help" for more information about a command.
```

## InfluxDB Line Protocol
Expand Down Expand Up @@ -90,11 +91,23 @@ level=error msg="failed to get certificate for pki/26:97:08:32:44:40:30:de:11:5z

Your batch size is probably too high.

## Certificate Selection

Any certificate with a unique subject common name and organizational unit is considered for metrics. If a certificate is renewed in place with the same CN and OU, it will still retain the same time series to avoid false alarms.

Revoked certificates are not considered for metrics and their time series will be deleted when an "active" certificate is deleted.

Expired certificates still retain their time series too.

## PKI Engine Selection

Right now the exporter will find any Vault PKI secrets engines and attempt to get certs for all of them. PKI secrets engines are currently not selectable by the exporter.

## Contributing

### Testing

Venom is used for tests, run `sudo venom run tests.yml` to perform integration tests.
Venom is used for tests, run `sudo venom run tests.yml` to perform integration tests. Make sure you have at least venom version 1.2.0.

Unit tests would also most likely be welcome for contribution with go native tests.

Expand Down
41 changes: 30 additions & 11 deletions cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@ package main

import (
"fmt"
"log/slog"
"os"
"time"

log "github.com/aarnaud/vault-pki-exporter/pkg/logger"
"github.com/aarnaud/vault-pki-exporter/pkg/logger"
"github.com/aarnaud/vault-pki-exporter/pkg/vault"
vaultMon "github.com/aarnaud/vault-pki-exporter/pkg/vault-mon"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -34,44 +36,61 @@ func init() {

flags.BoolP("verbose", "v", false, "Enable verbose")
if err := viper.BindPFlag("verbose", flags.Lookup("verbose")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind verbose flag", "error", err)
}

flags.String("log-level", "info", "Set log level (options: info, warn, error, debug)")
if err := viper.BindPFlag("log-level", flags.Lookup("log-level")); err != nil {
logger.SlogFatal("Could not bind log-level flag", "error", err)
}

flags.BoolP("prometheus", "", false, "Enable prometheus exporter, default if nothing else")
if err := viper.BindPFlag("prometheus", flags.Lookup("prometheus")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind prometheus flag", "error", err)
}

flags.BoolP("influx", "", false, "Enable InfluxDB Line Protocol")
if err := viper.BindPFlag("influx", flags.Lookup("influx")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind influx flag", "error", err)
}

flags.Int("port", 9333, "Prometheus exporter HTTP port")
if err := viper.BindPFlag("port", flags.Lookup("port")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind port flag", "error", err)
}

flags.Duration("fetch-interval", time.Minute, "How many sec between fetch certs on vault")
if err := viper.BindPFlag("fetch_interval", flags.Lookup("fetch-interval")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind fetch-interval flag", "error", err)
}

flags.Duration("refresh-interval", time.Minute, "How many sec between metrics update")
if err := viper.BindPFlag("refresh_interval", flags.Lookup("refresh-interval")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind refresh-interval flag", "error", err)
}

flags.Float64("batch-size-percent", 1, "loadCerts batch size percentage, supports floats (e.g 0.0 - 100.0)")
if err := viper.BindPFlag("batch_size_percent", flags.Lookup("batch-size-percent")); err != nil {
log.Fatal(err)
logger.SlogFatal("Could not bind batch-size-percent flag", "error", err)
}
}

func main() {
cli.ParseFlags(os.Args[1:])

// preserve deprecated verbose flag
if viper.GetBool("verbose") {
logger.Init("debug")
} else {
logger.Init(viper.GetString("log-level"))
}

// note mix of underscores and dashes
slog.Info("CLI flag values", "fetch-interval", viper.GetDuration("fetch_interval"), "refresh-interval", viper.GetDuration("refresh_interval"), "batch-size-percent", viper.GetFloat64("batch_size_percent"))

err := cli.Execute()
if err != nil {
log.Fatal(err)
logger.SlogFatal("CLI execution failed", "error", err)
}
}

Expand All @@ -83,13 +102,13 @@ func entrypoint() {
pkiMon := vaultMon.PKIMon{}
err := pkiMon.Init(vaultcli.Client)
if err != nil {
log.Errorln(err.Error())
slog.Error("PKIMon initialization failed", "error", err)
}

pkiMon.Watch(viper.GetDuration("fetch_interval"))

if viper.GetBool("prometheus") || !viper.GetBool("influx") {
log.Infoln("start prometheus exporter")
slog.Info("start prometheus exporter")
vaultMon.PromWatchCerts(&pkiMon, viper.GetDuration("refresh_interval"))
vaultMon.PromStartExporter(viper.GetInt("port"))
}
Expand Down
1 change: 1 addition & 0 deletions compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ services:
- ./vault-pki-exporter
- --fetch-interval=5s
- --refresh-interval=5s
- --log-level=debug
networks:
- vault-pki-exporter
ports:
Expand Down
Loading

0 comments on commit 0d5f910

Please sign in to comment.