Alex Monk has uploaded a new change for review.
https://gerrit.wikimedia.org/r/313805
Change subject: Make check_ssl warning/critical thresholds explicit and lower
them on Let's Encrypt domains
......................................................................
Make check_ssl warning/critical thresholds explicit and lower them on Let's
Encrypt domains
Bug: T144293
Change-Id: I03d1c3e85b404c3501fbb46b9d3ea18a096691a8
---
M manifests/role/archiva.pp
M manifests/role/dumps.pp
M manifests/role/icinga.pp
M manifests/role/tendril.pp
M modules/cassandra/manifests/instance/monitoring.pp
M modules/elasticsearch/manifests/https.pp
M modules/gerrit/manifests/proxy.pp
M modules/icinga/manifests/monitor/certs.pp
M modules/icinga/manifests/monitor/stream.pp
M modules/install_server/manifests/web_server.pp
M modules/librenms/manifests/web.pp
M modules/mirrors/manifests/serve.pp
M modules/nagios_common/files/check_commands/check_ssl.cfg
M modules/nagios_common/files/check_commands/check_sslxNN.cfg
M modules/role/manifests/cache/ssl/unified.pp
M modules/role/manifests/ganglia/web.pp
M modules/role/manifests/gerrit/server.pp
M modules/role/manifests/labs/openstack/nova.pp
M modules/role/manifests/lists/server.pp
M modules/tlsproxy/manifests/localssl.pp
M modules/toolserver_legacy/manifests/init.pp
21 files changed, 39 insertions(+), 32 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/05/313805/1
diff --git a/manifests/role/archiva.pp b/manifests/role/archiva.pp
index 4cdd1ca..c85e602 100644
--- a/manifests/role/archiva.pp
+++ b/manifests/role/archiva.pp
@@ -45,7 +45,7 @@
monitoring::service { 'https_archiva':
description => 'HTTPS',
- check_command => 'check_ssl_http!archiva.wikimedia.org',
+ check_command => 'check_ssl_http!archiva.wikimedia.org!60!30',
}
}
diff --git a/manifests/role/dumps.pp b/manifests/role/dumps.pp
index 1be8b6e..04cf403 100644
--- a/manifests/role/dumps.pp
+++ b/manifests/role/dumps.pp
@@ -12,7 +12,7 @@
monitoring::service { 'https':
description => 'HTTPS',
- check_command => 'check_ssl_http!dumps.wikimedia.org',
+ check_command => 'check_ssl_http!dumps.wikimedia.org!60!30',
}
# By default the resolve() function in ferm performs only an IPv4/A DNS
diff --git a/manifests/role/icinga.pp b/manifests/role/icinga.pp
index c40bf8a..e355164 100644
--- a/manifests/role/icinga.pp
+++ b/manifests/role/icinga.pp
@@ -48,7 +48,7 @@
monitoring::service { 'https':
description => 'HTTPS',
- check_command => 'check_ssl_http!icinga.wikimedia.org',
+ check_command => 'check_ssl_http!icinga.wikimedia.org!60!30',
}
class { '::icinga': }
diff --git a/manifests/role/tendril.pp b/manifests/role/tendril.pp
index 18d82b5..2b735d3 100644
--- a/manifests/role/tendril.pp
+++ b/manifests/role/tendril.pp
@@ -10,7 +10,7 @@
monitoring::service { 'https-tendril':
description => 'HTTPS-tendril',
- check_command => 'check_ssl_http!tendril.wikimedia.org',
+ check_command => 'check_ssl_http!tendril.wikimedia.org!60!30',
}
class { '::tendril':
diff --git a/modules/cassandra/manifests/instance/monitoring.pp
b/modules/cassandra/manifests/instance/monitoring.pp
index 14806a1..ce86801 100644
--- a/modules/cassandra/manifests/instance/monitoring.pp
+++ b/modules/cassandra/manifests/instance/monitoring.pp
@@ -39,7 +39,7 @@
if hiera('cassandra::tls_cluster_name', '') {
monitoring::service { "${service_name}-ssl":
description => "${service_name} SSL ${listen_address}:7001",
- check_command =>
"check_ssl_http_on_host_port!${::hostname}-${instance_name}!${listen_address}!7001",
+ check_command =>
"check_ssl_http_on_host_port!${::hostname}-${instance_name}!${listen_address}!7001!60!30",
contact_group => $contact_group,
}
}
diff --git a/modules/elasticsearch/manifests/https.pp
b/modules/elasticsearch/manifests/https.pp
index 1de60f5..09ce1f1 100644
--- a/modules/elasticsearch/manifests/https.pp
+++ b/modules/elasticsearch/manifests/https.pp
@@ -40,7 +40,7 @@
} -> ::monitoring::service { 'elasticsearch-https':
ensure => $ensure,
description => 'Elasticsearch HTTPS',
- check_command => "check_ssl_http_on_port!${certificate_name}!9243",
+ check_command =>
"check_ssl_http_on_port!${certificate_name}!9243!60!30",
}
::ferm::service { 'elastic-https':
diff --git a/modules/gerrit/manifests/proxy.pp
b/modules/gerrit/manifests/proxy.pp
index 6aa665c..6fc41d0 100644
--- a/modules/gerrit/manifests/proxy.pp
+++ b/modules/gerrit/manifests/proxy.pp
@@ -9,6 +9,12 @@
system_svc => 'apache2',
}
+ monitoring::service { 'https':
+ description => 'HTTPS',
+ check_command => "check_ssl_http!${host}!7!3",
+ contact_group => 'admins,gerrit',
+ }
+
$ssl_settings = ssl_ciphersuite('apache', 'mid', true)
apache::site { $host:
diff --git a/modules/icinga/manifests/monitor/certs.pp
b/modules/icinga/manifests/monitor/certs.pp
index 36a4756..0080cda 100644
--- a/modules/icinga/manifests/monitor/certs.pp
+++ b/modules/icinga/manifests/monitor/certs.pp
@@ -10,7 +10,7 @@
}
monitoring::service { 'https_blog':
description => 'HTTPS-blog',
- check_command => 'check_ssl_http!blog.wikimedia.org',
+ check_command => 'check_ssl_http!blog.wikimedia.org!60!30',
host => 'blog.wikimedia.org',
}
@@ -20,7 +20,7 @@
}
monitoring::service { 'https_policy':
description => 'HTTPS-policy',
- check_command => 'check_ssl_http!policy.wikimedia.org',
+ check_command => 'check_ssl_http!policy.wikimedia.org!60!30',
host => 'policy.wikimedia.org',
}
@@ -30,13 +30,13 @@
}
monitoring::service { 'https_eventdonations':
description => 'HTTPS-eventdonations',
- check_command => 'check_ssl_http!eventdonations.wikimedia.org',
+ check_command => 'check_ssl_http!eventdonations.wikimedia.org!60!30',
host => 'eventdonations.wikimedia.org',
}
monitoring::service { 'https_toolserver':
description => 'HTTPS-toolserver',
- check_command => 'check_ssl_http!www.toolserver.org',
+ check_command => 'check_ssl_http!www.toolserver.org!7!3',
host => 'www.toolserver.org',
}
@@ -46,14 +46,14 @@
}
monitoring::service { 'https_planet':
description => 'HTTPS-planet',
- check_command => 'check_ssl_http!en.planet.wikimedia.org',
+ check_command => 'check_ssl_http!en.planet.wikimedia.org!60!30',
host => 'en.planet.wikimedia.org',
}
# *.wmflabs.org (labs wildcard cert, testing tools.wmflabs.org)
monitoring::service { 'https_wmflabs':
description => 'HTTPS-wmflabs',
- check_command => 'check_ssl_http!tools.wmflabs.org',
+ check_command => 'check_ssl_http!tools.wmflabs.org!60!30',
host => 'tools.wmflabs.org',
}
@@ -63,7 +63,7 @@
}
monitoring::service { 'https_wmfusercontent':
description => 'HTTPS-wmfusercontent',
- check_command => 'check_ssl_http!phab.wmfusercontent.org',
+ check_command => 'check_ssl_http!phab.wmfusercontent.org!60!30',
host => 'phab.wmfusercontent.org',
}
}
diff --git a/modules/icinga/manifests/monitor/stream.pp
b/modules/icinga/manifests/monitor/stream.pp
index 61d28f7..a273523 100644
--- a/modules/icinga/manifests/monitor/stream.pp
+++ b/modules/icinga/manifests/monitor/stream.pp
@@ -6,7 +6,7 @@
monitoring::service { 'stream_clients':
description => 'HTTPS stream.wikimedia.org',
- check_command => 'check_ssl_http!stream.wikimedia.org',
+ check_command => 'check_ssl_http!stream.wikimedia.org!60!30',
host => 'stream.wikimedia.org',
contact_group => 'admins',
}
diff --git a/modules/install_server/manifests/web_server.pp
b/modules/install_server/manifests/web_server.pp
index 5109b1c..51e7b7a 100644
--- a/modules/install_server/manifests/web_server.pp
+++ b/modules/install_server/manifests/web_server.pp
@@ -21,6 +21,7 @@
puppet_svc => 'nginx',
system_svc => 'nginx',
}
+ // TODO: Monitor SSL?
$ssl_settings = ssl_ciphersuite('nginx', 'mid', true)
diff --git a/modules/librenms/manifests/web.pp
b/modules/librenms/manifests/web.pp
index fbae33c..f2260c8 100644
--- a/modules/librenms/manifests/web.pp
+++ b/modules/librenms/manifests/web.pp
@@ -17,7 +17,7 @@
monitoring::service { 'https':
description => 'HTTPS',
- check_command => 'check_ssl_http!librenms.wikimedia.org',
+ check_command => 'check_ssl_http!librenms.wikimedia.org!60!30',
}
monitoring::service { 'librenms':
diff --git a/modules/mirrors/manifests/serve.pp
b/modules/mirrors/manifests/serve.pp
index 5108c08..fcc0a6a 100644
--- a/modules/mirrors/manifests/serve.pp
+++ b/modules/mirrors/manifests/serve.pp
@@ -7,6 +7,7 @@
puppet_svc => 'nginx',
system_svc => 'nginx',
}
+ // TODO: Monitor SSL?
$ssl_settings = ssl_ciphersuite('nginx', 'mid', true)
diff --git a/modules/nagios_common/files/check_commands/check_ssl.cfg
b/modules/nagios_common/files/check_commands/check_ssl.cfg
index 519a97e..035bea3 100644
--- a/modules/nagios_common/files/check_commands/check_ssl.cfg
+++ b/modules/nagios_common/files/check_commands/check_ssl.cfg
@@ -1,22 +1,22 @@
# Verify a SSL certificate is valid and not going to expire
define command{
command_name check_ssl_http
- command_line $USER1$/check_ssl --warning 60 --critical 30 -H
$HOSTADDRESS$ -p 443 --cn $ARG1$
+ command_line $USER1$/check_ssl --warning $ARG2$ --critical $ARG3$ -H
$HOSTADDRESS$ -p 443 --cn $ARG1$
}
define command{
command_name check_ssl_http_on_port
- command_line $USER1$/check_ssl --warning 60 --critical 30 -H
$HOSTADDRESS$ --cn $ARG1$ -p $ARG2$
+ command_line $USER1$/check_ssl --warning $ARG3$ --critical $ARG4$ -H
$HOSTADDRESS$ --cn $ARG1$ -p $ARG2$
}
define command{
command_name check_ssl_http_on_host_port
- command_line $USER1$/check_ssl --warning 60 --critical 30 --cn $ARG1$
-H $ARG2$ -p $ARG3$
+ command_line $USER1$/check_ssl --warning $ARG4$ --critical $ARG5$ --cn
$ARG1$ -H $ARG2$ -p $ARG3$
}
# check SSL certs on LDAP servers
define command{
command_name check_ssl_ldap
- command_line $USER1$/check_ssl --warning 60 --critical 30 -H
$HOSTADDRESS$ -p 636 --cn $ARG1$
+ command_line $USER1$/check_ssl --warning $ARG2$ --critical $ARG3$ -H
$HOSTADDRESS$ -p 636 --cn $ARG1$
}
diff --git a/modules/nagios_common/files/check_commands/check_sslxNN.cfg
b/modules/nagios_common/files/check_commands/check_sslxNN.cfg
index 14395d6..e213306 100644
--- a/modules/nagios_common/files/check_commands/check_sslxNN.cfg
+++ b/modules/nagios_common/files/check_commands/check_sslxNN.cfg
@@ -1,5 +1,5 @@
# special Wikimedia-specific check that checks *all* domains
define command{
command_name check_sslxNN
- command_line $USER1$/check_sslxNN -H $HOSTADDRESS$ -p 443
+ command_line $USER1$/check_sslxNN -H $HOSTADDRESS$ -p 443 --warning
$ARG1$ --critical $ARG2$
}
diff --git a/modules/role/manifests/cache/ssl/unified.pp
b/modules/role/manifests/cache/ssl/unified.pp
index 2141f52..1b48973 100644
--- a/modules/role/manifests/cache/ssl/unified.pp
+++ b/modules/role/manifests/cache/ssl/unified.pp
@@ -5,7 +5,7 @@
if ( $::realm == 'production' ) {
monitoring::service { 'https':
description => 'HTTPS',
- check_command => 'check_sslxNN',
+ check_command => 'check_sslxNN!60!30',
}
tlsproxy::localssl { 'unified':
@@ -27,6 +27,7 @@
upstream_port => 3127,
redir_port => 8080,
}
+ // TODO: Monitor SSL? Also commented in tlsproxy::localssl
}
# ordering ensures nginx/varnish config/service-start are
diff --git a/modules/role/manifests/ganglia/web.pp
b/modules/role/manifests/ganglia/web.pp
index 7b09929..e90be77 100644
--- a/modules/role/manifests/ganglia/web.pp
+++ b/modules/role/manifests/ganglia/web.pp
@@ -7,7 +7,7 @@
monitoring::service { 'https':
description => 'HTTPS',
- check_command => 'check_ssl_http!ganglia.wikimedia.org',
+ check_command => 'check_ssl_http!ganglia.wikimedia.org!60!30',
}
$gmetad_root = '/srv/ganglia'
diff --git a/modules/role/manifests/gerrit/server.pp
b/modules/role/manifests/gerrit/server.pp
index ca975e6..e0ee686 100644
--- a/modules/role/manifests/gerrit/server.pp
+++ b/modules/role/manifests/gerrit/server.pp
@@ -4,14 +4,6 @@
include role::backup::host
include base::firewall
- $host = hiera('gerrit::host')
-
- monitoring::service { 'https':
- description => 'HTTPS',
- check_command => "check_ssl_http!${host}",
- contact_group => 'admins,gerrit',
- }
-
monitoring::service { 'gerrit_ssh':
description => 'SSH access',
check_command => 'check_ssh_port!29418',
diff --git a/modules/role/manifests/labs/openstack/nova.pp
b/modules/role/manifests/labs/openstack/nova.pp
index 5772c4e..718d046 100644
--- a/modules/role/manifests/labs/openstack/nova.pp
+++ b/modules/role/manifests/labs/openstack/nova.pp
@@ -49,6 +49,8 @@
include role::labs::openstack::nova::common
$novaconfig = $role::labs::openstack::nova::common::novaconfig
+ $w = 30
+ $c = 15
case $::realm {
'production': {
$sitename = 'wikitech.wikimedia.org'
@@ -63,6 +65,8 @@
puppet_svc => 'apache2',
system_svc => 'apache2',
}
+ $w = 7
+ $c = 3
}
default: {
notify {"unknown realm ${::realm}; https cert will not be
installed.":}
@@ -71,7 +75,7 @@
monitoring::service { 'https':
description => 'HTTPS',
- check_command => "check_ssl_http!${sitename}",
+ check_command => "check_ssl_http!${sitename}!${w}!${c}",
}
$ssl_settings = ssl_ciphersuite('apache', 'compat', true)
diff --git a/modules/role/manifests/lists/server.pp
b/modules/role/manifests/lists/server.pp
index b6ef2c4..876dfc0 100644
--- a/modules/role/manifests/lists/server.pp
+++ b/modules/role/manifests/lists/server.pp
@@ -81,7 +81,7 @@
monitoring::service { 'https':
description => 'HTTPS',
- check_command => 'check_ssl_http!lists.wikimedia.org',
+ check_command => 'check_ssl_http!lists.wikimedia.org!60!30',
}
nrpe::monitor_service { 'procs_mailmanctl':
diff --git a/modules/tlsproxy/manifests/localssl.pp
b/modules/tlsproxy/manifests/localssl.pp
index 3048b97..7775746 100644
--- a/modules/tlsproxy/manifests/localssl.pp
+++ b/modules/tlsproxy/manifests/localssl.pp
@@ -83,6 +83,7 @@
puppet_svc => 'nginx',
system_svc => 'nginx',
}
+ // TODO: Maybe add monitoring to this in role::cache::ssl::unified
}
if $do_ocsp {
diff --git a/modules/toolserver_legacy/manifests/init.pp
b/modules/toolserver_legacy/manifests/init.pp
index 8b41709..ab301ed 100644
--- a/modules/toolserver_legacy/manifests/init.pp
+++ b/modules/toolserver_legacy/manifests/init.pp
@@ -18,6 +18,7 @@
puppet_svc => 'apache2',
system_svc => 'apache2',
}
+ // Monitored externally by icinga::monitor::certs due to this being run in
labs...
apache::site { 'www.toolserver.org':
content => template('toolserver_legacy/www.toolserver.org.erb'),
--
To view, visit https://gerrit.wikimedia.org/r/313805
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I03d1c3e85b404c3501fbb46b9d3ea18a096691a8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
