Initial version

Author: sergeymakinen

.github/workflows/goreleaser.yml

@@ -0,0 +1,31 @@
+on:
+  push:
+    tags:
+      - '*'
+name: goreleaser
+jobs:
+  GoReleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+      - name: Set build info
+        run: |
+          echo "USER=${whoami}" >> $GITHUB_ENV
+          echo "HOST=${hostname}" >> $GITHUB_ENV
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          USER: ${{ env.USER }}
+          HOST: ${{ env.HOST }}

.github/workflows/tests.yml

@@ -0,0 +1,45 @@
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 12 1 * *'
+name: tests
+jobs:
+  Test:
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version:
+          - 1.14.x
+          - 1.15.x
+          - 1.16.x
+          - 1.x
+        os:
+          - ubuntu-latest
+          - windows-latest
+          - macos-latest
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Set git to turn off auto-converting line endings
+        run: git config --global core.autocrlf false
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Start containers
+        run: docker-compose -f testdata/docker/docker-compose.yml up -d
+        if: runner.os == 'Linux'
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Test (on Ubuntu)
+        run: go test -coverprofile=coverage.txt -covermode=atomic ./...
+        if: runner.os == 'Linux'
+      - name: Test (on macOS)
+        run: go test -short -coverprofile=coverage.txt -covermode=atomic ./...
+        if: runner.os == 'macOS'
+      - name: Test (on Windows)
+        run: go test -short -coverprofile=coverage.txt -covermode=atomic ./...
+        shell: cmd
+        if: runner.os == 'Windows'
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v1

.goreleaser.yml

@@ -0,0 +1,46 @@
+builds:
+  - id: ipsec_exporter
+    main: ./cmd/ipsec_exporter
+    ldflags: |
+      -s
+      -X github.com/prometheus/common/version.Version={{.Version}}
+      -X github.com/prometheus/common/version.Revision={{.FullCommit}}
+      -X github.com/prometheus/common/version.Branch={{.Branch}}
+      -X github.com/prometheus/common/version.BuildUser={{.Env.USER}}@{{.Env.HOST}}
+      -X github.com/prometheus/common/version.BuildDate={{time "20060102-15:04:05"}}
+    tags:
+      - netgo
+    env:
+      - CGO_ENABLED=0
+    targets:
+      - linux_amd64
+      - linux_386
+      - darwin_amd64
+      - windows_amd64
+      - windows_386
+      - freebsd_amd64
+      - freebsd_386
+      - openbsd_amd64
+      - openbsd_386
+      - netbsd_amd64
+      - netbsd_386
+      - dragonfly_amd64
+      - linux_arm
+      - linux_arm64
+      - freebsd_arm
+      - openbsd_arm
+      - netbsd_arm
+      - aix_ppc64
+      - linux_ppc64
+      - linux_ppc64le
+      - linux_mips64
+      - linux_mips64le
+      - linux_s390x
+
+archives:
+  - id: ipsec_exporter
+    builds:
+      - ipsec_exporter
+    format_overrides:
+      - goos: windows
+        format: zip

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2021, Sergey Makinen
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -0,0 +1,2 @@
+build:
+	go build -o ipsec_exporter ./cmd/ipsec_exporter

README.md

@@ -0,0 +1,62 @@
+# IPsec Exporter
+
+[![tests](https://github.com/sergeymakinen/ipsec_exporter/workflows/tests/badge.svg)](https://github.com/sergeymakinen/ipsec_exporter/actions?query=workflow%3Atests)
+[![Go Reference](https://pkg.go.dev/badge/github.com/sergeymakinen/ipsec_exporter.svg)](https://pkg.go.dev/github.com/sergeymakinen/ipsec_exporter)
+[![Go Report Card](https://goreportcard.com/badge/github.com/sergeymakinen/ipsec_exporter)](https://goreportcard.com/report/github.com/sergeymakinen/ipsec_exporter)
+[![codecov](https://codecov.io/gh/sergeymakinen/ipsec_exporter/branch/main/graph/badge.svg)](https://codecov.io/gh/sergeymakinen/ipsec_exporter)
+
+Export strongswan/libreswan IPsec stats to Prometheus.
+
+To run it:
+
+```bash
+make
+./ipsec_exporter [flags]
+```
+
+## Exported Metrics
+
+| Metric | Meaning | Labels
+| --- | --- | ---
+| ipsec_up | Was the last scrape successful. |
+| ipsec_uptime_seconds | Number of seconds since the daemon started. |
+| ipsec_workers_total | Number of worker threads. |
+| ipsec_idle_workers | Number of idle worker threads. |
+| ipsec_active_workers | Number of threads processing jobs. |
+| ipsec_queues | Number of queued jobs. | priority
+| ipsec_ike_sas | Number of currently registered IKE SAs. |
+| ipsec_half_open_ike_sas | Number of IKE SAs in half-open state. |
+| ipsec_pool_ips_total | Number of addresses in the pool. | name, address
+| ipsec_online_pool_ips | Number of leases online. | name, address
+| ipsec_offline_pool_ips | Number of leases offline. | name, address
+| ipsec_ike_sa_state | IKE SA state. Created: 0, connecting: 1, established: 2, passive: 3, rekeying: 4, rekeyed: 5, deleting: 6, destroying: 7. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
+| ipsec_ike_sa_established_seconds | Number of seconds since the IKE SA has been established. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips
+| ipsec_child_sa_state | Child SA state. Created: 0, routed: 1, installing: 2, installed: 3, updating: 4, rekeying: 5, rekeyed: 6, retrying: 7, deleting: 8, deleted: 9, destroying: 10. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_bytes_in | Number of input bytes processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_packets_in | Number of input packets processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_bytes_out | Number of output bytes processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_packets_out | Number of output packets processed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+| ipsec_child_sa_installed_seconds | Number of seconds since the child SA has been installed. | ike_sa_name, ike_sa_uid, name, uid, mode, protocol, local_ts, remote_ts
+
+### Flags
+
+```bash
+./ipsec_exporter --help
+```
+
+* __`vici.address`:__ VICI socket address. Example: `unix:///var/run/charon.vici` or `tcp://127.0.0.1:4502`.
+* __`vici.timeout`:__ VICI socket connect timeout.
+* __`collector`:__ Collector type to scrape metrics with. `vici` or `ipsec`.
+* __`ipsec.command`:__ Command to scrape IPsec metrics when the collector is configured to an `ipsec` binary.
+* __`web.listen-address`:__ Address to listen on for web interface and telemetry.
+* __`web.telemetry-path`:__ Path under which to expose metrics.
+* __`log.level`:__ Logging level. `info` by default.
+* __`log.format`:__ Set the log target and format. Example: `logger:syslog?appname=bob&local=7`
+  or `logger:stdout?json=true`.
+
+### TLS and basic authentication
+
+The ipsec_exporter supports TLS and basic authentication.
+To use TLS and/or basic authentication, you need to pass a configuration file
+using the `--web.config.file` parameter. The format of the file is described
+[in the exporter-toolkit repository](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).

cmd/ipsec_exporter/main.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/go-kit/kit/log/level"
+	"github.com/google/shlex"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/prometheus/common/promlog"
+	"github.com/prometheus/common/promlog/flag"
+	"github.com/prometheus/common/version"
+	"github.com/prometheus/exporter-toolkit/web"
+	webflag "github.com/prometheus/exporter-toolkit/web/kingpinflag"
+	"github.com/sergeymakinen/ipsec_exporter/exporter"
+	"gopkg.in/alecthomas/kingpin.v2"
+)
+
+type cmdValue []string
+
+func (c *cmdValue) Set(s string) (err error) {
+	*c, err = shlex.Split(s)
+	return
+}
+
+func (c cmdValue) String() string { return strings.Join(c, " ") }
+
+func newCmd(s kingpin.Settings) (target *[]string) {
+	target = new([]string)
+	s.SetValue((*cmdValue)(target))
+	return
+}
+
+func main() {
+	var (
+		address       = kingpin.Flag("vici.address", "VICI socket address.").PlaceHolder(`"` + viciDefaultAddress + `"`).Default(viciDefaultAddress).URL()
+		timeout       = kingpin.Flag("vici.timeout", "VICI socket connect timeout.").Default("1s").Duration()
+		collector     = kingpin.Flag("collector", "Collector type to scrape metrics with. One of: [vici, ipsec]").Default("vici").Enum("vici", "ipsec")
+		ipsecCmd      = newCmd(kingpin.Flag("ipsec.command", "Command to scrape IPsec metrics from.").PlaceHolder(`"ipsec statusall"`).Default("ipsec statusall"))
+		webConfig     = webflag.AddFlags(kingpin.CommandLine)
+		listenAddress = kingpin.Flag("web.listen-address", "Address to listen on for web interface and telemetry.").Default(":9844").String()
+		metricsPath   = kingpin.Flag("web.telemetry-path", "Path under which to expose metrics.").Default("/metrics").String()
+	)
+	promlogConfig := &promlog.Config{}
+	flag.AddFlags(kingpin.CommandLine, promlogConfig)
+	kingpin.HelpFlag.Short('h')
+	kingpin.Version(version.Print("ipsec_exporter"))
+	kingpin.Parse()
+	logger := promlog.New(promlogConfig)
+
+	level.Info(logger).Log("msg", "Starting ipsec_exporter", "version", version.Info())
+	level.Info(logger).Log("msg", "Build context", "context", version.BuildContext())
+
+	prometheus.MustRegister(version.NewCollector("ipsec_exporter"))
+	collectorType := exporter.CollectorVICI
+	if *collector == "ipsec" {
+		collectorType = exporter.CollectorIpsec
+	}
+	exporter, err := exporter.New(collectorType, *address, *timeout, *ipsecCmd, logger)
+	if err != nil {
+		level.Error(logger).Log("msg", "Error creating the exporter", "err", err)
+		os.Exit(1)
+	}
+	prometheus.MustRegister(exporter)
+
+	http.Handle(*metricsPath, promhttp.Handler())
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(`<html>
+             <head><title>IPsec Exporter</title></head>
+             <body>
+             <h1>IPsec Exporter</h1>
+             <p><a href='` + *metricsPath + `'>Metrics</a></p>
+             </body>
+             </html>`))
+	})
+
+	level.Info(logger).Log("msg", "Listening on address", "address", *listenAddress)
+	srv := &http.Server{Addr: *listenAddress}
+	if err := web.ListenAndServe(srv, *webConfig, logger); err != nil {
+		level.Error(logger).Log("msg", "Error running HTTP server", "err", err)
+		os.Exit(1)
+	}
+}

cmd/ipsec_exporter/main_other.go

@@ -0,0 +1,5 @@
+// +build !windows
+
+package main
+
+const viciDefaultAddress = "unix:///var/run/charon.vici"

cmd/ipsec_exporter/main_windows.go

@@ -0,0 +1,3 @@
+package main
+
+const viciDefaultAddress = "tcp://127.0.0.1:4502"