Monitor OpenShift Routes in Prometheus
Usage
This nodejs application assumes that the container in which the application is running has already a valid OpenShift session. The entrypoint will try to autologin via a service account. So all you need is to create a image with the desired openschift installed:
FROM toolisticon/oc-routes-prometheus-exporter:latest
ENV SUMMARY="openshift-ssl-verify runtime image"
ENV DESCRIPTION="openshift-ssl-verify runtime"
ENV TZ="Europe/Berlin"
ENV OPENSHIFT_VERSION=3.10.0
ENV NVM_DIR="$HOME/.nvm"
ENV CONSOLE_LOG="true"
ENV LOG_LEVEL="INFO"
LABEL summary="$SUMMARY" \
description="$DESCRIPTION" \
io.k8s.description="$DESCRIPTION" \
io.k8s.display-name="sslverify" \
io.openshift.tags="security,sslverify,platform" \
com.redhat.component="sslverify-container"
USER 0
# Update
RUN yum -y update && yum clean all && rm -rf /var/cache/yum
# Install oc and jq
RUN yum -y install centos-release-openshift-origin && \
yum -y install origin-clients-${OPENSHIFT_VERSION} && \
yum -y install epel-release && yum -y install jq
USER 1000
The pod should start with this output:
Now using node v8.15.0 (npm v6.4.1)
[2019-01-18T14:59:04.929Z] prometheus-exporter listening at 9000
[2019-01-18T15:00:00.005Z] Triggering check
[2019-01-18T15:00:00.006Z] Start reading route information.
[2019-01-18T15:00:05.133Z] Start triggering scan.
Sample Values
The metrics are available via via localhost:9000 on the pod:
security_ssl_mozilla_observatory{algorithm_version="2",end_time="1548079211000",grade="D",hidden="false",likelihood_indicator="MEDIUM",scan_id="9806703",score="35",start_time="1548079207000",state="FINISHED",status_code="404",tests_failed="3",tests_passed="9",tests_quantity="12",url="sample-config.sample.com",name="sample-config",namespace="project2",labels_app="myapp",labels_environment="dev",} 35.0
security_ssl_details{valid="true",valid_from="1545553135000",valid_to="1553329135000",days_remaining="60",url="api-test.sample.com",status="200",name="api-test",namespace="project1",labels_app="myapp",labels_environment="test",} 200.0
security_ssl_expire_days_remaining{url="api-test.sample.com",name="api-test",namespace="project1",labels_app="myapp",labels_environment="test",} 60.0
If you want to complete use
Configuration
You can override the config via environment variables:
OPENSHIFT_MASTER_URL
SERVER_PORT: // set desired port for prometheus endpoint, defaults to 9000
CRON: // set cron pattern, default is '0 0 * * * *',
LOG_LEVEL: // set log level, default is 'ERROR' ('INFO' outputs details info),
CONSOLE_LOG: // set to true to omit logging to file, otherwise logs will be written to `logs` dir
You'll find a Grafana Dashboard here:
Troubleshooting
Access denied
If the service account does not have access to projects, you will see this message
Logged into "https://...:8443" as "system:serviceaccount:security:sslverify" using the token provided.
You don't have any projects. Contact your system administrator to request a project.
Welcome! See 'oc help' to get started.
SSL error
If you see this kind of error:
error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
you are using the internal kubernetes host which might be secured by self-signed certificates. Either use the public endpoint with proper ssl certificates or install the certificate to the keystore.
Development
Debug
To debug run the following command:
node --inspect-brk index.js
To debug unit tests:
npm run test:debug