Add certificates expiration monitoring
Change-Id: I0e501559202c767616d20424e615e30f16d5a54f
Prod-Related: PROD-28065
diff --git a/salt/meta/prometheus.yml b/salt/meta/prometheus.yml
index 7fa7179..1a2a5a7 100644
--- a/salt/meta/prometheus.yml
+++ b/salt/meta/prometheus.yml
@@ -28,5 +28,27 @@
description: "The salt-minion service on the {{ $labels.host }} node is down."
{%- endraw %}
{%- endif %}
+ {%- if pillar.salt.get('minion', {}).get('enabled', False) and pillar.salt.minion.cert is defined %}
+ {%- raw %}
+ CertificateExpirationWarning:
+ if: >-
+ x509_cert_expiry / (24 * 60 * 60) < 60
+ labels:
+ severity: warning
+ service: system
+ annotations:
+ summary: "The certificate expires in less than 60 days"
+ description: "The {{ $labels.source }} certificate on the {{ $labels.host }} node expires in less than 60 days."
+ CertificateExpirationCritical:
+ if: >-
+ x509_cert_expiry / (24 * 60 * 60) < 30
+ labels:
+ severity: critical
+ service: system
+ annotations:
+ summary: "The certificate expires in less than 30 days"
+ description: "The {{ $labels.source }} certificate on the {{ $labels.host }} node expires in less than 30 days."
+ {%- endraw %}
+ {%- endif %}
{%- endif %}
{%- endif %}
diff --git a/salt/meta/telegraf.yml b/salt/meta/telegraf.yml
index 77fec3c..ba856f4 100644
--- a/salt/meta/telegraf.yml
+++ b/salt/meta/telegraf.yml
@@ -13,4 +13,16 @@
pattern: salt-minion
{%- endif %}
{%- endif %}
+ {%- if pillar.salt.get('minion', {}).get('enabled', False) and pillar.salt.get('minion', {}).cert is defined %}
+ {%- set certificates = [] %}
+ {%- for cert_name, cert in pillar.salt.minion.get('cert') | dictsort %}
+ {%- if cert.get('enabled', True) %}
+ {%- do certificates.append(cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt')) %}
+ {%- endif %}
+ {%- endfor %}
+ {%- if certificates %}
+ x509:
+ sources: {{ certificates }}
+ {%- endif %}
+ {%- endif %}
{%- endif %}