Monitor OpenShift Routes in Prometheus

Usage

This nodejs application assumes that the container in which the application is running has already a valid OpenShift session. The entrypoint will try to autologin via a service account. So all you need is to create a image with the desired openschift installed:

FROM toolisticon/oc-routes-prometheus-exporter:latest

ENV SUMMARY="openshift-ssl-verify runtime image"
ENV DESCRIPTION="openshift-ssl-verify runtime"
ENV TZ="Europe/Berlin"
ENV OPENSHIFT_VERSION=3.10.0
ENV NVM_DIR="$HOME/.nvm"
ENV CONSOLE_LOG="true"
ENV LOG_LEVEL="INFO"

LABEL summary="$SUMMARY" \
      description="$DESCRIPTION" \
      io.k8s.description="$DESCRIPTION" \
      io.k8s.display-name="sslverify" \
      io.openshift.tags="security,sslverify,platform" \
      com.redhat.component="sslverify-container"

USER 0

# Update
RUN yum -y update && yum clean all && rm -rf /var/cache/yum

# Install oc and jq
RUN yum -y install centos-release-openshift-origin && \
    yum -y install origin-clients-${OPENSHIFT_VERSION} && \
    yum -y install epel-release && yum -y install jq

USER 1000

The pod should start with this output:

Now using node v8.15.0 (npm v6.4.1)
[2019-01-18T14:59:04.929Z] prometheus-exporter listening at 9000
[2019-01-18T15:00:00.005Z] Triggering check
[2019-01-18T15:00:00.006Z] Start reading route information.
[2019-01-18T15:00:05.133Z] Start triggering scan.

Sample Values

The metrics are available via via localhost:9000 on the pod:

security_ssl_mozilla_observatory{algorithm_version="2",end_time="1548079211000",grade="D",hidden="false",likelihood_indicator="MEDIUM",scan_id="9806703",score="35",start_time="1548079207000",state="FINISHED",status_code="404",tests_failed="3",tests_passed="9",tests_quantity="12",url="sample-config.sample.com",name="sample-config",namespace="project2",labels_app="myapp",labels_environment="dev",} 35.0
security_ssl_details{valid="true",valid_from="1545553135000",valid_to="1553329135000",days_remaining="60",url="api-test.sample.com",status="200",name="api-test",namespace="project1",labels_app="myapp",labels_environment="test",} 200.0
security_ssl_expire_days_remaining{url="api-test.sample.com",name="api-test",namespace="project1",labels_app="myapp",labels_environment="test",} 60.0

If you want to complete use

Configuration

You can override the config via environment variables:

   OPENSHIFT_MASTER_URL
   SERVER_PORT: // set desired port for prometheus endpoint, defaults to 9000
   CRON: // set cron pattern, default is '0 0 * * * *',
   LOG_LEVEL: // set log level, default is 'ERROR' ('INFO' outputs details info),
   CONSOLE_LOG: // set to true to omit logging to file, otherwise logs will be written to `logs` dir

You'll find a Grafana Dashboard here:

Troubleshooting

Access denied

If the service account does not have access to projects, you will see this message

Logged into "https://...:8443" as "system:serviceaccount:security:sslverify" using the token provided.

You don't have any projects. Contact your system administrator to request a project.
Welcome! See 'oc help' to get started.

SSL error

If you see this kind of error:

error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.

you are using the internal kubernetes host which might be secured by self-signed certificates. Either use the public endpoint with proper ssl certificates or install the certificate to the keystore.