Skip to content

Commit f2e7981

Browse files
agapoffagapoff
committed
Some improvements for apicert mode
1 parent 71b074a commit f2e7981

File tree

2 files changed

+24
-20
lines changed

2 files changed

+24
-20
lines changed

README.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,16 +27,19 @@ Nagios-style checks against Kubernetes API. Designed for usage with Nagios, Icin
2727
- Pod restart count in pods mode; default is 30
2828
- Job failed count in jobs mode; default is 1
2929
- Pvc storage utilization; default is 80%
30+
- API cert expiration days for apicert mode; default is 30
3031
-c CRIT Critical threshold for
3132
- Pod restart count (in pods mode); default is 150
3233
- Unbound Persistent Volumes in unboundpvs mode; default is 5
3334
- Job failed count in jobs mode; default is 2
3435
- Pvc storage utilization; default is 90%
36+
- API cert expiration days for apicert mode; default is 15
3537
-M EXIT_CODE Exit code when resource is missing; default is 2 (CRITICAL)
3638
-h Show this help and exit
3739

3840
Modes are:
3941
apiserver Not for kubectl, should be used for each apiserver independently
42+
apicert Check the apicert expiration date
4043
nodes Check for active nodes
4144
daemonsets Check for daemonsets readiness
4245
deployments Check for deployments availability
@@ -111,6 +114,10 @@ Check utilization if pvc (if consumes more than %):
111114
./check_kubernetes.sh -m pvc
112115
CRITICAL. Very high storage utilization on pvc prometheus-data: 93% (86106636288/157459890176 Bytes)
113116

117+
Check expiration date for API TLS certificate:
118+
./check_kubernetes.sh -m apicert -H https://<...>:6443 -T $TOKEN
119+
OK. API cert expires in 278 days
120+
114121

115122
## Brief mode (removed in v1.1.0)
116123

check_kubernetes.sh

Lines changed: 17 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -28,13 +28,13 @@ usage() {
2828
- Pod restart count in pods mode; default is 30
2929
- Job failed count in jobs mode; default is 1
3030
- Pvc storage utilization; default is 80%
31-
- APICERT expiration days for apicert mode; default is 30
31+
- API cert expiration days for apicert mode; default is 30
3232
-c CRIT Critical threshold for
3333
- Pod restart count (in pods mode); default is 150
3434
- Unbound Persistent Volumes in unboundpvs mode; default is 5
3535
- Job failed count in jobs mode; default is 2
3636
- Pvc storage utilization; default is 90%
37-
- APICERT expiration days for apicert mode; default is 15
37+
- API cert expiration days for apicert mode; default is 15
3838
-M EXIT_CODE Exit code when resource is missing; default is 2 (CRITICAL)
3939
-h Show this help and exit
4040
@@ -159,27 +159,24 @@ mode_apicert() {
159159
fi
160160
WARN=${WARN:-30}
161161
CRIT=${CRIT:-15}
162-
APICERT=$(echo "$APISERVER" | awk -F "//" '{ print $2 }' | awk -F ":" '{ print $1 }')
163-
APIPORT=$(echo "$APISERVER" | awk -F "//" '{ print $2 }' | awk -F ":" '{ print $2 }')
164-
APIPORT=${APIPORT:=443}
165-
timeout "$TIMEOUT" bash -c "</dev/tcp/$APICERT/$APIPORT" &>/dev/null
166-
if [ $? -ne 0 ]; then
167-
echo "APICERT is in UNKNOWN"
162+
APIHOST=$(echo "$APISERVER" | awk -F[/:] '{print $4}')
163+
APIPORT=$(echo "$APISERVER" | awk -F[/:] '{print $5}')
164+
APIPORT=${APIPORT:-443}
165+
enddate=$(echo | openssl s_client -connect "$APIHOST:$APIPORT" 2>/dev/null | openssl x509 -enddate -noout 2>/dev/null | sed 's/notAfter=//' | xargs -r -0 date +%s -d)
166+
if [ -z "$enddate" ]; then
167+
echo "API cert expiration date is UNKNOWN"
168168
exit 3
169169
fi
170-
APICERTDATE=$(echo | openssl s_client -connect "$APICERT":"$APIPORT" 2>/dev/null | openssl x509 -noout -dates | grep notAfter | sed -e 's#notAfter=##')
171-
a=$(date -d "$APICERTDATE" +%s)
172-
b=$(date +%s)
173-
c=$((a-b))
174-
d=$((c/3600/24))
175-
echo "APICERT expires in $d days"
176-
if [ "$d" -gt "$WARN" ] && [ "$d" -gt "$CRIT" ]; then
177-
echo "APICERT is OK"
178-
elif [ "$d" -le "$WARN" ] && [ $d -gt "$CRIT" ]; then
179-
echo "APICERT is in WARN"
170+
nowdate=$(date +%s)
171+
diff=$((($enddate-$nowdate)/24/3600))
172+
OUTPUT="API cert expires in $diff days"
173+
if [ "$diff" -gt "$WARN" ] && [ "$diff" -gt "$CRIT" ]; then
174+
OUTPUT="OK. $OUTPUT"
175+
elif [ "$diff" -le "$WARN" ] && [ "$diff" -gt "$CRIT" ]; then
176+
OUTPUT="WARNING. $OUTPUT"
180177
EXITCODE=1
181-
elif [ "$d" -le "$CRIT" ]; then
182-
echo "APICERT is in CRIT"
178+
elif [ "$diff" -le "$CRIT" ]; then
179+
OUTPUT="CRITICAL. $OUTPUT"
183180
EXITCODE=2
184181
fi
185182
}

0 commit comments

Comments
 (0)