Giter Club home page Giter Club logo

vault-pki-exporter's Introduction

vault-pki-exporter

Export PKI Certificate and CRL metrics base on dates

Vault integration

Compatibility with all environment variable use by vault cli

Example:

VAULT_SKIP_VERIFY=true;
VAULT_ADDR=https://vault.hostname.com;
VAULT_CLIENT_KEY=mycert.pem;
VAULT_CLIENT_CERT=mycert.pem;
VAULT_AUTH_METHOD=oidc

VAULT_AUTH_METHOD is not native in vault cli but used in this application. Valid values:

  • oidc

  • k8s

  • When set to oidc, will authenticate using oidc method, you can customize auth mount point by setting VAULT_AUTH_MOUNT.

  • When set to k8s, will authenticate using kubernetes auth method. You should also set VAULT_K8S_ROLE to vault k8s role name and optionally specify VAULT_AUTH_MOUNT for custom auth mount name.

Usage

Usage:
   [flags]
   [command]

Available Commands:
  help        Help about any command
  version     Print the version.

Flags:
      --fetch-interval duration     How many sec between fetch certs on vault (default 1m0s)
  -h, --help                        help for this command
      --influx                      Enable InfluxDB Line Protocol
      --port int                    Prometheus exporter HTTP port (default 9333)
      --prometheus                  Enable prometheus exporter, default if nothing else
      --refresh-interval duration   How many sec between metrics update (default 1m0s)
      --batch-size-percent          How large of a batch of certificates to get data for at once, supports floats (e.g 0.0 - 100.0) (default 1)
  -v, --verbose                     Enable verbose

Use " [command] --help" for more information about a command.

InfluxDB Line Protocol

x509_crl,host=your.hostname.com,source=pki-test/ expiry=245124i,nextupdate=1573235993i 1572990868
x509_cert,common_name=My\ PKI\ CA,country=CA,host=your.hostname.com,locality=Montreal,organization=Example,organizational_unit=WebService,province=QC,serial=0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26,source=pki-test/ age=14106i,enddate=1573408792i,expiry=417923i,startdate=1572976762i 1572990868

Prometheus exporter

# HELP x509_crl_expiry
# TYPE x509_crl_expiry gauge
x509_crl_expiry{source="pki-test/"} 243687.999819847
# HELP x509_crl_nextupdate
# TYPE x509_crl_nextupdate gauge
x509_crl_nextupdate{source="pki-test/"} 1.573235993e+09
# HELP x509_cert_age
# TYPE x509_cert_age gauge
x509_cert_age{common_name="My PKI CA",country="CA",locality="Montreal",organization="Example",organizational_unit="WebService",province="QC",serial="0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26",source="pki-test/"} 15543.000180153
# HELP x509_cert_enddate
# TYPE x509_cert_enddate gauge
x509_cert_enddate{common_name="My PKI CA",country="CA",locality="Montreal",organization="Example",organizational_unit="WebService",province="QC",serial="0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26",source="pki-test/"} 1.573408792e+09
# HELP x509_cert_expiry
# TYPE x509_cert_expiry gauge
x509_cert_expiry{common_name="My PKI CA",country="CA",locality="Montreal",organization="Example",organizational_unit="WebService",province="QC",serial="0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26",source="pki-test/"} 416486.999819847
# HELP x509_cert_startdate
# TYPE x509_cert_startdate gauge
x509_cert_startdate{common_name="My PKI CA",country="CA",locality="Montreal",organization="Example",organizational_unit="WebService",province="QC",serial="0e-50-38-4d-18-69-52-54-1d-71-31-49-1b-a8-06-c7-4f-23-64-26",source="pki-test/"} 1.572976762e+09

Batch Size

Vault PKI Exporter supports a --batch-size-percent flag to batch many requests for individual certificate metrics at once.

If you are getting many log messages such as:

level=error msg="failed to get certificate for pki/26:97:08:32:44:40:30:de:11:5z:ef:07:64:91:1e:9c:db:93:8c:1f, got error: Get \"https://vault.domain.com:8200/v1/pki/cert/26:97:08:32:44:40:30:de:11:5z:ef:07:64:91:1e:9c:db:93:8c:1f\": EOF"

Your batch size is probably too high.

vault-pki-exporter's People

Contributors

aarnaud avatar akamac avatar barskern avatar bchess avatar dependabot[bot] avatar ilyaluk avatar wbollock avatar yafimk avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

yafimk perimeter-81 arsiesys bchess akamac joomcode kmaliauka barskern bhuangakm linode-obs nickmhankins

vault-pki-exporter's Issues

Dockerfile

We're running vault-pki-exporter in docker and created following simple Dockerfile. Would you like to add it to the project?

FROM golang:alpine
WORKDIR /go/src/app
COPY . .
RUN go build cmd/main.go
EXPOSE 9333
CMD ["./main"]

Only fetching CRL for the default issuer

Right now the legacy cert/crl path is used to fetch the CRL for a PKI secrets engine, but this only accounts for the CRL of the default issuer of the secrets engine. The engine can have multiple issuers all with active CRLs.

vault-pki-exporter/pkg/vault-mon/pki.go

Lines 111 to 133 in ec2a1b7

func (pki *PKI) loadCrl() error {
pki.crlmux.Lock()
defer pki.crlmux.Unlock()
secret, err := pki.vault.Logical().Read(fmt.Sprintf("%scert/crl", pki.path))
if err != nil {
return err
}
secretCert := vault.SecretCertificate{}
err = mapstructure.Decode(secret.Data, &secretCert)
if err != nil {
return err
}
block, _ := pem.Decode([]byte([]byte(secretCert.Certificate)))
pki.crlRawSize = len([]byte(secretCert.Certificate))
crl, err := x509.ParseCRL(block.Bytes)
if err != nil {
log.Errorf("failed to load CRL for %s, error: %w", pki.path, err)
return err
}
pki.crl = crl
return nil
}

It would be better to iterate over all issuers in a secrets engine and use the newer /pki/issuer/:issuer_ref/crl path. The new metric might look like:

x509_crl_length{source="pki/", issuer="<some-issuer-unique-id>"}

Making an issue for discussion but I think I can pick this up eventually

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.