Add new nagios check for vault health

Improved check_vault_version.py to also check whether vault is sealed, therefore renaming it to check_vault_health.py. Registered the new check with NRPE and removed the old one. The alert of vault being sealed takes precedence over version checking. Closes-bug: #1856025 Change-Id: I9b5ec739d27f35b793e91f61f070995105f80d06
2020-10-02 16:31:38 -03:00 · 2020-10-02 16:31:38 -03:00 · e003c17044
parent edbca2f5ff
commit e003c17044
2 changed files with 21 additions and 9 deletions
--- a/src/files/nagios/check_vault_version.py
+++ b/src/files/nagios/check_vault_version.py
@ -44,7 +44,7 @@ def get_vault_snap_version():
        return version


-def get_vault_server_version(verify=True):
+def get_vault_server_health(verify=True):
    ctx = None
    if not verify:
        ctx = ssl.create_default_context()
@ -52,7 +52,7 @@ def get_vault_server_version(verify=True):
        ctx.verify_mode = ssl.CERT_NONE

    with urlopen(VAULT_HEALTH_URL, context=ctx) as health:
-        return json.loads(health.read().decode('utf-8'))['version']
+        return json.loads(health.read().decode('utf-8'))


 if __name__ == '__main__':
@ -64,12 +64,17 @@ if __name__ == '__main__':
        sys.exit(2)

    try:
-        serverv = get_vault_server_version(verify=VAULT_VERIFY_SSL)
+        health = get_vault_server_health(verify=VAULT_VERIFY_SSL)
    except Exception as e:
-        print('CRITICAL: failed to fetch version of '
+        print('CRITICAL: failed to fetch health of '
              'running vault server: {}'.format(e))
        sys.exit(2)

+    if health['sealed'] is True:
+        print('CRITICAL: vault is sealed.')
+        sys.exit(2)
+
+    serverv = health['version']
    if serverv == snapv:
        print('OK: running vault ({}) is the same '
              'as the installed snap ({})'.format(
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@ -1,4 +1,5 @@
 import base64
+import os
 import psycopg2
 import subprocess
 import tenacity
@ -12,6 +13,7 @@ from charmhelpers.contrib.charmsupport.nrpe import (
    add_init_service_checks,
    get_nagios_hostname,
    get_nagios_unit_name,
+    remove_deprecated_check,
 )

 from charmhelpers.contrib.openstack.utils import (
@ -380,15 +382,20 @@ def update_nagios(svc):
    hostname = get_nagios_hostname()
    current_unit = get_nagios_unit_name()
    nrpe = NRPE(hostname=hostname)
+    remove_deprecated_check(nrpe, ['vault_version'])
    add_init_service_checks(nrpe, ['vault'], current_unit)
+    try:
+        os.remove('/usr/lib/nagios/plugins/check_vault_version.py')
+    except FileNotFoundError:
+        pass
    write_file(
-        '/usr/lib/nagios/plugins/check_vault_version.py',
-        open('files/nagios/check_vault_version.py', 'rb').read(),
+        '/usr/lib/nagios/plugins/check_vault_health.py',
+        open('files/nagios/check_vault_health.py', 'rb').read(),
        perms=0o755)
    nrpe.add_check(
-        'vault_version',
-        'Check running vault server version is same as installed snap',
-        '/usr/lib/nagios/plugins/check_vault_version.py',
+        'vault_health',
+        'Check running vault server version and health',
+        '/usr/lib/nagios/plugins/check_vault_health.py',
    )
    nrpe.write()
    set_state('vault.nrpe.configured')