Making cert alert more critical

Curretnly, only gets warning until zeroday. Adding CRITICAL alert 30 days in advance. WARNING alert 60 days in advance. Related-Bug: #2063814 Change-Id: I76a53b483070398d4ab9e40f6a1e167d46f47f96
2024-04-30 02:30:50 +00:00 · 2024-04-30 02:30:50 +00:00 · 1b00966719
commit 1b00966719
parent 360b63bf3c
1 changed files with 24 additions and 10 deletions
--- a/src/files/scripts/check_ovn_certs.py
+++ b/src/files/scripts/check_ovn_certs.py
@ -21,6 +21,13 @@ from cryptography.hazmat.backends import default_backend
 from cryptography import x509

 NAGIOS_PLUGIN_DATA = '/usr/local/lib/nagios/juju_charm_plugin_data'
+UNKNOWN = 3
+CRITICAL = 2
+WARN = 1
+SUCCESS = 0
+
+CERT_EXPIRY_CRITICAL_LIMIT = 30
+CERT_EXPIRY_WARN_LIMIT = 60


 class SSLCertificate(object):
@ -47,36 +54,43 @@ def check_ovn_certs():
    if not os.path.isdir(NAGIOS_PLUGIN_DATA):
        os.makedirs(NAGIOS_PLUGIN_DATA)

-    exit_code = 0
+    exit_code = SUCCESS
    for cert in ['/etc/ovn/cert_host', '/etc/ovn/ovn-central.crt']:
        if not os.path.exists(cert):
            message = "cert '{}' does not exist.".format(cert)
-            exit_code = 2
+            exit_code = CRITICAL
            break

        if not os.access(cert, os.R_OK):
            message = "cert '{}' is not readable.".format(cert)
-            exit_code = 2
+            exit_code = CRITICAL
            break

        try:
            remaining_days = SSLCertificate(cert).days_remaining
            if remaining_days <= 0:
                message = "{}: cert has expired.".format(cert)
-                exit_code = 2
+                exit_code = CRITICAL
                break

-            if remaining_days < 10:
-                message = ("{}: cert will expire soon (less than 10 days).".
-                           format(cert))
-                exit_code = 1
+            if remaining_days < CERT_EXPIRY_CRITICAL_LIMIT:
+                message = ("{}: cert will expire in {} days".
+                           format(cert, remaining_days))
+                exit_code = CRITICAL
                break
+
+            if remaining_days < CERT_EXPIRY_WARN_LIMIT:
+                message = ("{}: cert will expire in {} days".
+                           format(cert, remaining_days))
+                exit_code = WARN
+                break
+
        except Exception as exc:
            message = "failed to check cert '{}': {}".format(cert, str(exc))
-            exit_code = 1
+            exit_code = UNKNOWN
    else:
        message = "all certs healthy"
-        exit_code = 0
+        exit_code = SUCCESS

    ts = datetime.now()
    with open(output_path, 'w') as fd: