From b388a003b41b55b3b9c18903965d772d7c196396 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 2 Feb 2022 15:44:04 -0800
Subject: [PATCH] nagios: add checks for ssl certs on fcos and ocp4 endpoints,
 change to just checking proxy01

Add checks for ssl certs on fcos openshift endpoints.
Add checks for ocp4 wildcard certs.
Change check to only use proxy01/proxy01.stg instead of all proxies.
Ideally we really do want to check all proxies, but in practice this
results in like 70 alerts anytime the cert is going to expire.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../files/nagios/services/ssl.cfg             | 56 +++++++++++++++++--
 roles/nagios_server/tasks/main.yml            |  1 +
 .../templates/nagios/hostgroups/other.cfg.j2  | 14 +++++
 3 files changed, 67 insertions(+), 4 deletions(-)
 create mode 100644 roles/nagios_server/templates/nagios/hostgroups/other.cfg.j2

diff --git a/roles/nagios_server/files/nagios/services/ssl.cfg b/roles/nagios_server/files/nagios/services/ssl.cfg
index 815e227241..9bce593099 100644
--- a/roles/nagios_server/files/nagios/services/ssl.cfg
+++ b/roles/nagios_server/files/nagios/services/ssl.cfg
@@ -1,19 +1,19 @@
 define service {
-  hostgroup_name        proxies
+  hostgroup_name        oneproxy
   service_description   https-admin.fedoraproject.org
   check_command         check_ssl_cert!admin.fedoraproject.org!60
   use                   defaulttemplate
 }
 
 define service {
-  hostgroup_name        proxies
+  hostgroup_name        oneproxy
   service_description   https-fedoraproject.org-cert
   check_command         check_ssl_cert!fedoraproject.org!60
   use                   defaulttemplate
 }
 
 define service {
-  hostgroup_name        proxies
+  hostgroup_name        oneproxy
   service_description   https-translate.fedoraproject.org-cert
   check_command         check_ssl_cert!translate.fedoraproject.org!60
   use                   defaulttemplate
@@ -27,7 +27,7 @@ define service {
 }
 
 define service {
-  hostgroup_name        proxies
+  hostgroup_name        oneproxy
   service_description   https-whatcanidoforfedora-cert
   check_command         check_ssl_cert!whatcanidoforfedora.org!25
   use                   defaulttemplate
@@ -39,3 +39,51 @@ define service {
   check_command         check_ssl_cert!pagure.io!25
   use                   defaulttemplate
 }
+
+# fedora coreos endpoints
+
+define service {
+  hostgroup_name        oneproxy
+  service_description   https-updates-coreos-cert
+  check_command         check_ssl_cert!updates.coreos.fedoraproject.org!25
+  use                   defaulttemplate
+}
+
+define service {
+  hostgroup_name        oneproxy
+  service_description   https-raw-updates-coreos-cert
+  check_command         check_ssl_cert!raw-updates.coreos.fedoraproject.org!25
+  use                   defaulttemplate
+}
+
+define service {
+  hostgroup_name        oneproxy
+  service_description   https-status-updates-coreos-cert
+  check_command         check_ssl_cert!status.updates.coreos.fedoraproject.org!25
+  use                   defaulttemplate
+}
+
+define service {
+  hostgroup_name        oneproxy
+  service_description   https-status-raw-updates-coreos-cert
+  check_command         check_ssl_cert!status.raw-updates.coreos.fedoraproject.org!25
+  use                   defaulttemplate
+}
+
+# ocp4 cluster prod
+
+define service {
+  hostgroup_name        oneproxy
+  service_description   https-ocp4-prod-cert
+  check_command         check_ssl_cert!console-openshift-console.apps.ocp.fedoraproject.org!25
+  use                   defaulttemplate
+}
+
+# ocp4 cluster stg
+
+define service {
+  hostgroup_name        oneproxy-stg
+  service_description   https-ocp4-stg-cert
+  check_command         check_ssl_cert!console-openshift-console.apps.ocp.stg.fedoraproject.org!25
+  use                   defaulttemplate
+}
diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml
index abf1411919..79f2ad5470 100644
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@@ -470,6 +470,7 @@
     - nomail.cfg
     - checkswap.cfg
     - checkraid.cfg
+    - other.cfg
   when: nagios_location == 'iad2_internal'
   tags:
   - nagios_server
diff --git a/roles/nagios_server/templates/nagios/hostgroups/other.cfg.j2 b/roles/nagios_server/templates/nagios/hostgroups/other.cfg.j2
new file mode 100644
index 0000000000..8cae25a95f
--- /dev/null
+++ b/roles/nagios_server/templates/nagios/hostgroups/other.cfg.j2
@@ -0,0 +1,14 @@
+
+define hostgroup {
+        hostgroup_name  oneproxy
+        alias           just one proxy
+        members         proxy01.iad2.fedoraproject.org
+
+}
+
+define hostgroup {
+        hostgroup_name  oneproxy-stg
+        alias           just one proxy in staging
+        members         proxy01.stg.iad2.fedoraproject.org
+
+}