Merge pull request #385 from orange-cloudfoundry/master

Update credhub exporter

Author: frodenas

jobs/credhub_alerts/templates/credhub.alerts.yml

@@ -2,7 +2,7 @@ groups:
   - name: credhub
     rules:
       - alert: CredhubCrendentialAging
-        expr: max(round((time() - max_over_time(credhub_credential_created_at{}[1h])) / 86400)) by (deployment, environment, path) > <%= p('credhub_alerts.credential_expire.threshold') %>
+        expr: (time() - credhub_credential_created_at) / 86400 > <%= p('credhub_alerts.credential_expire.threshold') %>
         for: <%= p('credhub_alerts.credential_expire.evaluation_time') %>
         labels:
           severity: warning
@@ -11,7 +11,7 @@ groups:
           description: "Credhub credential `{{$labels.path}}` at environment `{{$labels.environment}}`, deployment `{{$labels.deployment}}` has not been rotated in the last <%= p('credhub_alerts.credential_expire.threshold') %> days"
 
       - alert: CredhubCertificateWillExpire
-        expr: min(round((max_over_time(credhub_certificate_expires_at{}[1h]) - time()) / 86400)) by (deployment, environment, path) < <%= p('credhub_alerts.certificate_expire.threshold') %>
+        expr: (credhub_certificate_expires_at - time()) / 86400 < <%= p('credhub_alerts.certificate_expire.threshold') %>
         for: <%= p('credhub_alerts.certificate_expire.evaluation_time') %>
         labels:
           severity: critical

jobs/credhub_alerts/templates/prometheus_credhub_exporter.alerts.yml

@@ -2,7 +2,7 @@ groups:
   - name: prometheus-credhub-exporter
     rules:
       - alert: CredhubExporterApplicationsScrapeError
-        expr: max(max_over_time(credhub_last_scrape_error{}[1h])) by(director, environment) != 0
+        expr: credhub_last_scrape_error != 0
         for: <%= p('credhub_alerts.scrape_error.evaluation_time') %>
         labels:
           service: credhub-exporter
@@ -12,7 +12,7 @@ groups:
           description: "The `credhub_exporter` at `{{$labels.environment}}/{{$labels.director}}` was unable to scrape metrics during the last <%= p('credhub_alerts.scrape_error.evaluation_time') %>"
 
       - alert: CredhubExporterScrapeTooOld
-        expr: (time() - max(max_over_time(credhub_last_scrape_timestamp{}[1h])) by(environment, deployment)) > <%= p('credhub_alerts.scrape_too_old.threshold') %>
+        expr: time() - credhub_last_scrape_timestamp > <%= p('credhub_alerts.scrape_too_old.threshold') %>
         for: <%= p('credhub_alerts.scrape_too_old.evaluation_time') %>
         labels:
           service: credhub-exporter

jobs/credhub_dashboards/templates/credhub_certs.json

@@ -46,8 +46,8 @@
   "editable": false,
   "gnetId": null,
   "graphTooltip": 0,
-  "id": null,
-  "iteration": 1573825587650,
+  "id": 105,
+  "iteration": 1586246148529,
   "links": [
     {
       "asDropdown": true,
@@ -88,7 +88,7 @@
       "pageSize": 150,
       "showHeader": true,
       "sort": {
-        "col": 3,
+        "col": 7,
         "desc": false
       },
       "styles": [
@@ -165,20 +165,20 @@
             "60"
           ],
           "type": "number",
-          "unit": "d"
+          "unit": "s"
         }
       ],
       "targets": [
         {
-          "expr": "min(round(max_over_time(credhub_certificate_expires_at{environment=~\"$environment\",deployment=~\"$bosh_deployment\"}[1h]))) by (name, path) * 1000",
+          "expr": "max by (environment, deployment, index, name, path) (\n  credhub_certificate_expires_at{environment=~\"$environment\",deployment=~\"$bosh_deployment\"} * 1000\n)",
           "format": "table",
           "instant": true,
           "intervalFactor": 1,
           "legendFormat": "",
           "refId": "A"
         },
         {
-          "expr": "min(round((max_over_time(credhub_certificate_expires_at{environment=~\"$environment\",deployment=~\"$bosh_deployment\"}[1h]) - time())  / 86400)) by (name, path)",
+          "expr": "max by (environment, deployment, index, name, path) (\n  credhub_certificate_expires_at{environment=~\"$environment\",deployment=~\"$bosh_deployment\"} - time()\n)",
           "format": "table",
           "instant": true,
           "intervalFactor": 1,
@@ -193,7 +193,7 @@
       "type": "table"
     }
   ],
-  "schemaVersion": 20,
+  "schemaVersion": 21,
   "style": "dark",
   "tags": [
     "bosh"
@@ -267,5 +267,5 @@
   "timezone": "browser",
   "title": "CredHub: Certificate Expiry Date",
   "uid": "OQqSNUJZk",
-  "version": 9
+  "version": 10
 }

jobs/credhub_exporter/monit

@@ -1,5 +1,5 @@
 check process credhub_exporter
-  with pidfile /var/vcap/sys/run/credhub_exporter/credhub_exporter.pid
-  start program "/var/vcap/jobs/credhub_exporter/bin/credhub_exporter_ctl start"
-  stop program "/var/vcap/jobs/credhub_exporter/bin/credhub_exporter_ctl stop"
+  with pidfile   /var/vcap/sys/run/bpm/credhub_exporter/credhub_exporter.pid
+  start program "/var/vcap/jobs/bpm/bin/bpm start credhub_exporter"
+  stop program  "/var/vcap/jobs/bpm/bin/bpm stop  credhub_exporter"
   group vcap

jobs/credhub_exporter/spec

@@ -5,10 +5,10 @@ packages:
   - credhub_exporter
 
 templates:
-  bin/credhub_exporter_ctl: bin/credhub_exporter_ctl
-  config/web_tls_cert.pem: config/web_tls_cert.pem
-  config/web_tls_key.pem: config/web_tls_key.pem
-  config/credhub_tls_ca_cert.pem: config/credhub_tls_ca_cert.pem
+  web_tls_cert.pem.erb: config/web_tls_cert.pem
+  web_tls_key.pem.erb: config/web_tls_key.pem
+  credhub_tls_ca_cert.pem.erb: config/credhub_tls_ca_cert.pem
+  bpm.yml.erb: config/bpm.yml
 
 consumes:
 - name: credhub
@@ -24,22 +24,30 @@ properties:
     description: "Credhub Client Secret"
   credhub_exporter.credhub.ca_certs:
     description: "Credhub CA certificates (PEM format)"
+    default: ""
   credhub_exporter.metrics.deployment:
     description: "Deployment name to be reported as a metric label"
   credhub_exporter.metrics.environment:
     description: "Environment label to be attached to metrics"
   credhub_exporter.metrics.namespace:
     description: "Metrics Namespace"
+    default: "credhub"
+  credhub_exporter.metrics.update_interval:
+    description: "Metrics update interval given as golang duration format"
+    default: 6h
   credhub_exporter.filters.generic-certificates:
-    description: "Json list of <regexp> to match generic credentials paths that may contains certificates"
+    description: "List of <regexp> to match generic credentials paths that may contains certificates"
+    default: []
   credhub_exporter.filters.name-like:
     description: "Fetch credentials whose name contains the query string (fetch all credentials when empty)"
   credhub_exporter.filters.path:
     description: "Fetch credentials that exist under the provided path"
   credhub_exporter.log_format:
     description: "Set the log target and format. Example: 'logger:syslog?appname=bob&local=7' or 'logger:stdout?json=true'"
+    default: logger:stderr
   credhub_exporter.log_level:
     description: "Only log messages with the given severity or above. Valid levels: [debug, info, warn, error, fatal]"
+    default: info
   credhub_exporter.skip_ssl_verify:
     description: "Disable SSL Verify"
     default: false
@@ -48,6 +56,7 @@ properties:
     default: "9358"
   credhub_exporter.web.telemetry_path:
     description: "Path under which to expose Prometheus metrics"
+    default: "/metrics"
   credhub_exporter.web.auth_username:
     description: "Username for web interface basic auth"
   credhub_exporter.web.auth_password:

jobs/credhub_exporter/templates/bin/credhub_exporter_ctl

@@ -0,0 +1,73 @@
+<%
+
+credhub_url = nil
+credhub_ca_certs = nil
+if_link("credhub") do |link|
+  credhub_url      = sprintf("https://%s:%d", link.p("credhub.internal_url"), link.p("credhub.port"))
+  credhub_ca_certs = link.p("credhub.ca_certificate")
+end
+unless credhub_url
+  credhub_url      = p("credhub_exporter.credhub.api_url")
+  credhub_ca_certs = p("credhub_exporter.credhub.ca_certs")
+end
+
+args = [
+  "--log.level",  p("credhub_exporter.log_level"),
+  "--log.format", p("credhub_exporter.log_format"),
+]
+
+env = {}
+env["CREDHUB_EXPORTER_API_URL"]                 = credhub_url
+env["CREDHUB_EXPORTER_CLIENT_ID"]               = p("credhub_exporter.credhub.client_id")
+env["CREDHUB_EXPORTER_CLIENT_SECRET"]           = p("credhub_exporter.credhub.client_secret")
+env["CREDHUB_EXPORTER_FILTER_NAMELIKE"]         = p("credhub_exporter.filters.name-like", "")
+env["CREDHUB_EXPORTER_FILTER_PATH"]             = p("credhub_exporter.filters.path", "")
+env["CREDHUB_EXPORTER_GENERIC_CERTIFICATES"]    = p("credhub_exporter.filters.generic-certificates").to_json
+env["CREDHUB_EXPORTER_METRICS_DEPLOYMENT"]      = p("credhub_exporter.metrics.deployment")
+env["CREDHUB_EXPORTER_METRICS_NAMESPACE"]       = p("credhub_exporter.metrics.namespace")
+env["CREDHUB_EXPORTER_METRICS_ENVIRONMENT"]     = p("credhub_exporter.metrics.environment")
+env["CREDHUB_EXPORTER_METRICS_UPDATE_INTERVAL"] = p("credhub_exporter.metrics.update_interval")
+env["CREDHUB_EXPORTER_WEB_LISTEN_ADDRESS"]      = ":#{p("credhub_exporter.web.port")}"
+env["CREDHUB_EXPORTER_WEB_TELEMETRY_PATH"]      = p("credhub_exporter.web.telemetry_path")
+env["CREDHUB_EXPORTER_WEB_AUTH_USERNAME"]       = p("credhub_exporter.web.auth_username", "")
+env["CREDHUB_EXPORTER_WEB_AUTH_PASSWORD"]       = p("credhub_exporter.web.auth_password", "")
+env["CREDHUB_EXPORTER_SKIP_SSL_VERIFY"]         = "false"
+
+if not credhub_ca_certs.empty?
+  env["CREDHUB_EXPORTER_CA_CERTS_PATH"]    = "/var/vcap/jobs/credhub_exporter/config/credhub_tls_ca_cert.pem"
+end
+
+# when property value is true
+# -> not "if property exists"
+# -> always defined since it has a default value in spec
+if p("credhub_exporter.skip_ssl_verify")
+  env["CREDHUB_EXPORTER_SKIP_SSL_VERIFY"] = "true"
+end
+
+if_p("credhub_exporter.web.tls_cert", "credhub_exporter.web.tls_key") do
+  env["CREDHUB_EXPORTER_WEB_TLS_CERTFILE"] = "/var/vcap/jobs/credhub_exporter/config/web_tls_cert.pem"
+  env["CREDHUB_EXPORTER_WEB_TLS_KEYFILE"]  = "/var/vcap/jobs/credhub_exporter/config/web_tls_key.pem"
+end
+
+
+[ "http", "https", "no" ].each do |key|
+  name = "#{key}_proxy"
+  if_p("env.#{name}") do |val|
+    env[name.upcase] = val
+    env[name] = val
+  end
+end
+
+config = {
+  "processes" => [
+    {
+      "name"       => "credhub_exporter",
+      "executable" => "/var/vcap/packages/credhub_exporter/bin/credhub_exporter",
+      "env"        => env,
+      "args"       => args,
+    }
+  ]
+}
+%>
+
+<%= YAML.dump(config) %>

jobs/credhub_exporter/templates/bpm.yml.erb

@@ -0,0 +1,5 @@
+<% if_link("credhub") do |link| %>
+<%= link.p("credhub.ca_certificate") %>
+<% end.else do %>
+<%= p("credhub_exporter.credhub.ca_certs") %>
+<% end %>

jobs/credhub_exporter/templates/config/credhub_tls_ca_cert.pem

@@ -144,8 +144,8 @@
   path: /instance_groups/name=prometheus2/jobs/name=prometheus2/properties/prometheus/scrape_configs/-
   value:
     job_name: credhub
-    scrape_interval: 30m
-    scrape_timeout: 4m
+    scrape_interval: 4m
+    scrape_timeout: 2m
     file_sd_configs:
       - files:
         - "/var/vcap/store/bosh_exporter/bosh_target_groups.json"

jobs/credhub_exporter/templates/credhub_tls_ca_cert.pem.erb

@@ -0,0 +1,14 @@
+# add bpm to prometheus2
+- type: replace
+  path: /instance_groups/name=prometheus2/jobs/-
+  value:
+    name: bpm
+    release: bpm
+
+- type: replace
+  path: /releases/-
+  value:
+    name: bpm
+    version: 1.1.8
+    url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=1.1.8
+    sha1: c956394fce7e74f741e4ae8c256b480904ad5942

jobs/credhub_exporter/templates/config/web_tls_cert.pem jobs/credhub_exporter/templates/web_tls_cert.pem.erb

@@ -2,11 +2,6 @@
 
 set -eux
 
-# Copy common utils
-mkdir -p ${BOSH_INSTALL_TARGET}/common
-cp -a ${BOSH_COMPILE_TARGET}/common/* ${BOSH_INSTALL_TARGET}/common
-
 # Extract credhub_exporter package
 mkdir -p ${BOSH_INSTALL_TARGET}/bin
-tar xzvf ${BOSH_COMPILE_TARGET}/credhub_exporter/credhub_exporter-0.1.6.linux-amd64.tar.gz
-cp -a ${BOSH_COMPILE_TARGET}/credhub_exporter-0.1.6.linux-amd64/* ${BOSH_INSTALL_TARGET}/bin
+unzip credhub_exporter/credhub_exporter-0.2.0-linux_amd64-0.2-0.zip credhub_exporter -d ${BOSH_INSTALL_TARGET}/bin