Kevin Doran created NIFIREG-262:
-----------------------------------
Summary: Add TLS certificates self-health check to actuator
`/health` endpoint
Key: NIFIREG-262
URL: https://issues.apache.org/jira/browse/NIFIREG-262
Project: NiFi Registry
Issue Type: New Feature
Reporter: Kevin Doran
Assignee: Kevin Doran
This feature idea started from a conversation with sd3 in Apache NiFi Slack:
https://apachenifi.slack.com/archives/C0L9UPWJZ/p1556638630001200
For folks that want to do external, automated monitoring, it is helpful if the
web services being monitored can perform some self-health checks and expose the
results in a web api (for example, a REST API endpoint that returns a JSON
formatted result of self-health checks).
For NiFi Registry, we have a {{GET /nifi-registry-api/actuator/health}}
endpoint that can be used.
This feature idea is to add a health check that runs on demand as part of that
endpoint that checks: if TLS is enabled (can get this from
nifi-registry.properties), loads the SSLContext and checks that that
certificates are valid and not expired. The results of this check, along with
the expiration timestamps, can be reported in the health check results so that
external monitoring tools (such as PagerDuty, Nagios, Prometheus Alert Manager,
etc), could poll the endpoint, alert if the certs check fails, and trigger an
alert in advance if the expiration timestamp is close.
This also applies to Apache NiFi, although I am not familiar if a standard
{{/health}} endpoint already exists there or if one needs to be introduced.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
