feat(lego): generate certificate metrics for the node_exporter textfile collector

2024-11-10 06:24:17 +00:00 · 2023-03-07 10:59:32 +01:00 · 2023-03-07 10:59:32 +01:00 · 6c20ba81b2
commit 6c20ba81b2
parent 7ce4598d29
6 changed files with 35 additions and 0 deletions
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@ -12,6 +12,8 @@ lego_executable: "{{ lego_base_path }}/lego"
 lego_account_base_path: "{{ lego_base_path }}/accounts"
 lego_cap_net_bind_service: true

+lego_enable_metrics_textfile: false
+
 lego_source_server_domain: "github.com"
 lego_source_url: >-2
  https://{{
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@ -33,6 +33,16 @@
  register: "lego_version_res"
  tags: ["prepare", "prepare-lego"]

+- name: "Ensure lego metrics textfile generator exists"
+  template:
+    src: "metrics-textfile.py.j2"
+    dest: "{{ lego_base_path }}/metrics-textfile.py"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  when: "lego_enable_metrics_textfile"
+  tags: ["prepare", "prepare-lego"]
+
 - name: "Install lego from github releases"
  when: "lego_version_res.failed or not lego_version in lego_version_res.stdout"
  block:
--- a/roles/lego/templates/lego.service.j2
+++ b/roles/lego/templates/lego.service.j2
@ -17,6 +17,9 @@ ExecStartPre=+-chmod {{ lego_certificate_store_mode }} {{ lego_certificate_store
 ExecStart={{ lego_command_systemd }}
 ExecStartPost=+-/bin/sh -c 'chown {{ lego_certificate_store_user }}:{{ lego_certificate_store_group }} {{ lego_certificate_store }}/*'
 ExecStartPost=+-/bin/sh -c 'chmod 0640 {{ lego_certificate_store }}/*'
+{% if lego_enable_metrics_textfile %}
+ExecStartPost=+-/usr/bin/python3 {{ lego_base_path }}/metrics-textfile.py
+{% endif %}
 {% if lego_post_renewal_script is defined %}
 ExecStartPost=+-{{ lego_post_renewal_script }}
 {% endif %}
--- a/roles/lego/templates/metrics-textfile.py.j2
+++ b/roles/lego/templates/metrics-textfile.py.j2
@ -0,0 +1,18 @@
+#!/usr/bin/python3
+
+from pathlib import Path
+from cryptography import x509
+import time
+
+textfile = open('{{ lego_base_path }}/metrics', 'w')
+
+textfile.write('# HELP ssl_certificate_expiry Unix timestamp of certificate expiry\n')
+textfile.write('# TYPE ssl_certificate_expiry gauge\n')
+
+certs_path = Path('{{ lego_certificate_store }}')
+for certificate_path in certs_path.glob('*.crt'):
+    if certificate_path.match('*.issuer.crt'):
+        continue
+    certificate_bytes = open(certificate_path, 'rb').read()
+    certificate = x509.load_pem_x509_certificate(certificate_bytes)
+    textfile.write('ssl_certificate_expiry{path="' + str(certificate_path) + '"} ' + certificate.not_valid_after.strftime('%s') + '\n')
--- a/tests/sanity/ignore-2.13.txt
+++ b/tests/sanity/ignore-2.13.txt
@ -0,0 +1 @@
+roles/lego/templates/metrics-textfile.py.j2 shebang
--- a/tests/sanity/ignore-2.14.txt
+++ b/tests/sanity/ignore-2.14.txt
@ -0,0 +1 @@
+roles/lego/templates/metrics-textfile.py.j2 shebang
				`@ -0,0 +1 @@`
				`roles/lego/templates/metrics-textfile.py.j2 shebang`