Skip to content

A prometheus exporter for credhub that monitors credential age and certificate expiration

License

Notifications You must be signed in to change notification settings

orange-cloudfoundry/credhub_exporter

Repository files navigation

Credhub Prometheus Exporter Build Status

A Prometheus exporter for Credhub. The exporter currently only exports metrics related to credhub objects, including certificate objects (it does not yet provide metrics about the credhub server health such as error rates, response times, or total number of entries).

Installation

Binaries

Download the already existing binaries for your platform:

$ ./credhub_exporter <flags>

From source

Using the standard go install (you must have Go already installed in your local machine):

$ go install github.com/orange-cloudfoundry/credhub_exporter
$ credhub_exporter <flags>

Docker

To run the credhub exporter as a Docker container, run:

$ docker run -p 9358:9358 orangeopensource/credhub-exporter <flags>

Usage

UAA Client

In order to connect to the Credhub API a client-id and client-secret must be provided. The client-id must have the creadhub.read authority.

For example, to create a new client-id and client-secret with the right permissions:

uaac target https://<YOUR UAA URL> --skip-ssl-validation
uaac token client get <YOUR ADMIN CLIENT ID> -s <YOUR ADMIN CLIENT SECRET>
uaac client add prometheus-credhub \
  --name prometheus-credhub \
  --secret prometheus-credhub-client-secret \
  --authorized_grant_types client_credentials,refresh_token \
  --authorities credhub.read,credhub.write

Flags

Flag / Environment Variable Required Default Description
credhub.api_url
CREDHUB_EXPORTER_API_URL
Yes Credhub API URL
credhub.client-id
CREDHUB_EXPORTER_CLIENT_ID
Yes Credhub Client ID (must have the credhub.read scope)
credhub.client-secret
CREDHUB_EXPORTER_CLIENT_SECRET
Yes Credhub Client Secret
credhub.proxy
CREDHUB_EXPORTER_PROXY
No Socks proxy to open before connecting to credub
credhub.ca-certs-path
CREDHUB_EXPORTER_CA_CERTS_PATH
No Path to CA certificate to use when connecting credhub
filters.name-like
CREDHUB_EXPORTER_FILTER_NAMELIKE
No Fetch from server credentials whose name contains the query string (fetch all credentials when empty)
filters.path
CREDHUB_EXPORTER_FILTER_PATH
No Fetch from server credentials that exist under the provided path (ignored when --filters.name-like is not empty)
filters.generic-certificates
CREDHUB_EXPORTER_GENERIC_CERTIFICATES
No [] Json list of <regexp> to match against name of certificate objects fetched from server. Only certificate objects whose name match at least one regexp will have an associated metric emitted.
metrics.deployment-name
CREDHUB_EXPORTER_METRICS_DEPLOYMENT
Yes Credhub Bosh Deployment Name to be reported as the deployment metric label
metrics.namespace
CREDHUB_EXPORTER_METRICS_NAMESPACE
No credhub Metrics Namespace
metrics.environment
CREDHUB_EXPORTER_METRICS_ENVIRONMENT
Yes Credhub environment label to be attached to metrics
metrics.udpate-interval
CREDHUB_EXPORTER_METRICS_UPDATE_INTERVAL
No 6h Metrics update interval given as golang duration format
skip-ssl-verify
CREDHUB_EXPORTER_SKIP_SSL_VERIFY
No false Disable SSL Verify
web.listen-address
CREDHUB_EXPORTER_WEB_LISTEN_ADDRESS
No :9358 Address to listen on for web interface and telemetry
web.telemetry-path
CREDHUB_EXPORTER_WEB_TELEMETRY_PATH
No /metrics Path under which to expose Prometheus metrics
web.auth.username
CREDHUB_EXPORTER_WEB_AUTH_USERNAME
No Username for web interface basic auth
web.auth.password
CREDHUB_EXPORTER_WEB_AUTH_PASSWORD
No Password for web interface basic auth
web.tls.cert_file
CREDHUB_EXPORTER_WEB_TLS_CERTFILE
No Path to a file that contains the TLS certificate (PEM format). If the certificate is signed by a certificate authority, the file should be the concatenation of the server's certificate, any intermediates, and the CA's certificate
web.tls.key_file
CREDHUB_EXPORTER_WEB_TLS_KEYFILE
No Path to a file that contains the TLS private key (PEM format)

Metrics

The exporter returns the following credhub objects metrics:

Metric Description Labels
metrics.namespace_credential_created_at Unix timestamp of the creation of the last version of a given credential deployment, environment, id, name, path
metrics.namespace_certificate_expires_at Unix timestamp of the expiration time of a given certificate deployment, environment, id, name, path, index
metrics.namespace_last_scrap_error Number of credentials that the exporter failed to read during last scrape deployment, environment

Contributing

Refer to the contributing guidelines.

License

Apache License 2.0, see LICENSE.