Dzahn has submitted this change and it was merged.
Change subject: salt: add Icinga plugin to check for unaccepted keys
..
salt: add Icinga plugin to check for unaccepted keys
Add an Icinga plugin script to check for unaccepted
salt keys and install it on the master via the salt module.
Needs sudo to run salt-key. Fails if it can't get the key list,
otherwise counts them and alerts if >= 1.
Bug: T144801
Change-Id: If15055ca58673b12dfa0f64f214fece7335d1085
---
A modules/salt/files/check_unaccepted_keys
M modules/salt/manifests/master.pp
A modules/salt/manifests/monitoring.pp
3 files changed, 52 insertions(+), 0 deletions(-)
Approvals:
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/modules/salt/files/check_unaccepted_keys
b/modules/salt/files/check_unaccepted_keys
new file mode 100755
index 000..bcc1520
--- /dev/null
+++ b/modules/salt/files/check_unaccepted_keys
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Icinga plugin to check for unaccepted salt keys (T144801)
+# Daniel Zahn - Wikimedia Foundation Inc.
+
+key_list=$(sudo /usr/bin/salt-key -l un)
+
+if ! echo $key_list | grep -q Unaccepted ; then
+echo "UNKNOWN - failed to get key list"
+exit 3
+fi
+
+num_keys=$(echo $key_list | grep -v Unaccepted | wc -l)
+
+# echo $key_list
+# echo "There are ${num_keys} unaccepted keys"
+
+if [[ $num_keys -gt 0 ]] ; then
+echo "CRITICAL - ${num_keys} unaccepted salt keys"
+exit 2
+elif [[ $num_keys -eq 0 ]] ; then
+echo "OK - No unaccepted salt keys"
+exit 0
+fi
+
+echo "UNKOWN - check plugin script"
+exit 3
+
diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp
index c3d0e25..ed85cbc 100644
--- a/modules/salt/manifests/master.pp
+++ b/modules/salt/manifests/master.pp
@@ -90,4 +90,5 @@
}
include salt::orchestration
+include salt::monitoring
}
diff --git a/modules/salt/manifests/monitoring.pp
b/modules/salt/manifests/monitoring.pp
new file mode 100644
index 000..c2974e1
--- /dev/null
+++ b/modules/salt/manifests/monitoring.pp
@@ -0,0 +1,24 @@
+# Let Icinga check for unaccepted salt keys (T144801)
+class salt::monitoring() {
+
+$check_unaccepted_keys =
'/usr/local/lib/nagios/plugins/check_unaccepted_keys'
+
+file { $check_unaccepted_keys:
+ensure => present,
+mode => '0550',
+owner => 'root',
+group => 'root',
+source => 'puppet:///modules/salt/check_unaccepted_keys',
+}
+
+sudo::user { 'nagios_unaccepted_keys':
+user => 'nagios',
+privileges => ["ALL = NOPASSWD: ${check_unaccepted_keys}"],
+}
+
+nrpe::monitor_service { 'salt_unaccepted_keys':
+description => 'unaccepted salt keys',
+nrpe_command => $check_unaccepted_keys,
+}
+
+}
--
To view, visit https://gerrit.wikimedia.org/r/311079
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: If15055ca58673b12dfa0f64f214fece7335d1085
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn
Gerrit-Reviewer: Dzahn
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits