From: Alex Dehnert Date: Sun, 11 Jul 2021 21:40:38 +0000 (-0400) Subject: vault: Add a check for seal status X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=6284b17cb11eff798730ad9a58cb189ec1fe6db2;p=sysconfig%2Fnagios3.git vault: Add a check for seal status --- diff --git a/conf.d/check_vault.py b/conf.d/check_vault.py new file mode 100755 index 0000000..69d69b0 --- /dev/null +++ b/conf.d/check_vault.py @@ -0,0 +1,113 @@ +#!/usr/bin/env python3 + +"""Nagios check dispatcher and custom checks + +This fulfills two roles: + * can be used as an ssh force command and dispatch checks to appropriate nagios plugins + * implements various custom checks +""" + +# https://pypi.org/project/nagiosplugin/ may also be useful + +# Standard library +from enum import IntEnum +import logging +import os +import re +import subprocess +import sys + +# Common third party libs +import requests + +LOGGER = logging.getLogger(__name__) + +class Return_Code(IntEnum): + OK = 0 + WARNING = 1 + CRITICAL = 2 + UNKNOWN = 3 + +# TODO(py3.7): use dataclass? +class NagiosReturn: + """Class for returning nagios results""" + returncode: Return_Code + short: str + short_perf: str + long_text: str + long_perf: str + + def __init__(self, returncode, short, short_perf="", long_text="", long_perf=""): + self.returncode = returncode + self.short = short + self.short_perf = short_perf + self.long_text = long_text + self.long_perf = long_perf + + def exit(self): + assert '\n' not in self.short + assert '\n' not in self.short_perf + print("%s|%s" % (self.short.strip(), self.short_perf.strip())) + print(self.long_text + "|" + self.long_perf) + sys.exit(self.returncode) + + +def check_vault(check, hostname): + url = "https://%s:8200/v1/sys/seal-status" % (hostname, ) + result = requests.get(url) + if result.status_code == 200: + long_perf = "json=%s" % (result.text, ) + if result.json()['sealed']: + returncode = Return_Code.CRITICAL + short = "vault is sealed" + perf = "sealed=1" + return NagiosReturn(returncode, short, perf, long_perf=long_perf) + else: + returncode = Return_Code.OK + short = "vault is unsealed" + perf = "sealed=0" + return NagiosReturn(returncode, short, perf, long_perf=long_perf) + else: + returncode = Return_Code.CRITICAL + short = "vault seal-status returned %d" % (result.status_code) + perf = "status_code=%d" % (result.status_code) + return NagiosReturn(returncode, short, perf) + + +FUNCTIONS = dict( + check_vault=check_vault, +) + + +ARG_CHECKER = re.compile('^([a-zA-Z0-9][a-zA-Z0-9.-]*)$') + + +def dispatch(): + assert len(sys.argv) > 1, "currently must pass args on commandline" + if len(sys.argv) > 1: + cmd = sys.argv[1] + if cmd in FUNCTIONS: + args = [] + for arg in sys.argv[2:]: + match = ARG_CHECKER.match(arg) + if match: + args.append(match.group(1)) + else: + ret = NagiosReturn(Return_Code.UNKNOWN, "invalid arg %s" % (arg, )) + break + else: + # If we got through the loop without breaking, args are fine + ret = FUNCTIONS[cmd](cmd, *args) + else: + ret = NagiosReturn(Return_Code.UNKNOWN, "unknown cmd %s" % (cmd, )) + ret.exit() + + +if __name__ == '__main__': + #handlers = [journal.JournalHandler()] + handlers = [] + if 'SSH_ORIGINAL_COMMAND' not in os.environ: + # Probably being run for diagnostics, so go ahead and log to console + handlers.append(logging.StreamHandler()) + logging.basicConfig(level='INFO',handlers=handlers) + dispatch() diff --git a/local.d/virunga.cfg b/local.d/virunga.cfg index 6e91b47..794a0ac 100644 --- a/local.d/virunga.cfg +++ b/local.d/virunga.cfg @@ -20,3 +20,16 @@ define service { __check_cert_expiry_days 10 __connect_port 8200 } + +define command{ + command_name check_vault_seal + command_line /etc/nagios3/conf.d/check_vault.py check_vault vault.dehnerts.com +} + +define service { + name virunga-vault-seal + use adehnert-service + host_name virunga + service_description VAULT-SEAL + check_command check_vault_seal +}