Merge pull request #12 from wbollock/fix/ou_cert_mapping

Fix/ou cert mapping

.github/workflows/tests.yml

@@ -17,7 +17,7 @@ jobs:
         run: docker compose build
 
       - name: Download venom
-        run: curl https://github.com/ovh/venom/releases/download/v1.1.0/venom.linux-amd64 -L -o /usr/local/bin/venom && chmod +x /usr/local/bin/venom
+        run: curl https://github.com/ovh/venom/releases/download/v1.2.0/venom.linux-amd64 -L -o /usr/local/bin/venom && chmod +x /usr/local/bin/venom
 
       - name: Run test
         run: venom run tests.yml

.tool-versions

@@ -0,0 +1 @@
+venom 1.2.0

README.md

@@ -43,7 +43,8 @@ Flags:
       --prometheus                  Enable prometheus exporter, default if nothing else
       --refresh-interval duration   How many sec between metrics update (default 1m0s)
       --batch-size-percent          How large of a batch of certificates to get data for at once, supports floats (e.g 0.0 - 100.0) (default 1)
-  -v, --verbose                     Enable verbose
+      --log-level                   Set log level (options: info, warn, error, debug)
+  -v, --verbose                     (deprecated) Enable verbose logging. Defaults to debug level logging
 
 Use " [command] --help" for more information about a command.
 ```
@@ -90,11 +91,23 @@ level=error msg="failed to get certificate for pki/26:97:08:32:44:40:30:de:11:5z
 
 Your batch size is probably too high.
 
+## Certificate Selection
+
+Any certificate with a unique subject common name and organizational unit is considered for metrics. If a certificate is renewed in place with the same CN and OU, it will still retain the same time series to avoid false alarms.
+
+Revoked certificates are not considered for metrics and their time series will be deleted when an "active" certificate is deleted.
+
+Expired certificates still retain their time series too.
+
+## PKI Engine Selection
+
+Right now the exporter will find any Vault PKI secrets engines and attempt to get certs for all of them. PKI secrets engines are currently not selectable by the exporter.
+
 ## Contributing
 
 ### Testing
 
-Venom is used for tests, run `sudo venom run tests.yml` to perform integration tests.
+Venom is used for tests, run `sudo venom run tests.yml` to perform integration tests. Make sure you have at least venom version 1.2.0.
 
 Unit tests would also most likely be welcome for contribution with go native tests.
 

cmd/main.go

@@ -2,9 +2,11 @@ package main
 
 import (
 	"fmt"
+	"log"
+	"log/slog"
+	"os"
 	"time"
 
-	log "github.com/aarnaud/vault-pki-exporter/pkg/logger"
 	"github.com/aarnaud/vault-pki-exporter/pkg/vault"
 	vaultMon "github.com/aarnaud/vault-pki-exporter/pkg/vault-mon"
 	"github.com/spf13/cobra"
@@ -37,41 +39,59 @@ func init() {
 		log.Fatal(err)
 	}
 
+	flags.String("log-level", "info", "Set log level (options: info, warn, error, debug)")
+	if err := viper.BindPFlag("log-level", flags.Lookup("log-level")); err != nil {
+		log.Fatal("Could not set log level:", err)
+	}
+
 	flags.BoolP("prometheus", "", false, "Enable prometheus exporter, default if nothing else")
 	if err := viper.BindPFlag("prometheus", flags.Lookup("prometheus")); err != nil {
-		log.Fatal(err)
+		log.Fatal("Could not bind prometheus flag:", err)
 	}
 
 	flags.BoolP("influx", "", false, "Enable InfluxDB Line Protocol")
 	if err := viper.BindPFlag("influx", flags.Lookup("influx")); err != nil {
-		log.Fatal(err)
+		log.Fatal("Could not bind influx flag:", err)
 	}
 
 	flags.Int("port", 9333, "Prometheus exporter HTTP port")
 	if err := viper.BindPFlag("port", flags.Lookup("port")); err != nil {
-		log.Fatal(err)
+		log.Fatal("Could not bind port flag:", err)
 	}
 
 	flags.Duration("fetch-interval", time.Minute, "How many sec between fetch certs on vault")
 	if err := viper.BindPFlag("fetch_interval", flags.Lookup("fetch-interval")); err != nil {
-		log.Fatal(err)
+		log.Fatal("Could not bind fetch-interval flag:", err)
 	}
 
 	flags.Duration("refresh-interval", time.Minute, "How many sec between metrics update")
 	if err := viper.BindPFlag("refresh_interval", flags.Lookup("refresh-interval")); err != nil {
-		log.Fatal(err)
+		log.Fatal("Could not bind refresh-interval flag:", err)
 	}
 
 	flags.Float64("batch-size-percent", 1, "loadCerts batch size percentage, supports floats (e.g 0.0 - 100.0)")
 	if err := viper.BindPFlag("batch_size_percent", flags.Lookup("batch-size-percent")); err != nil {
-		log.Fatal(err)
+		log.Fatal("Could not bind batch-size-percent flag:", err)
 	}
 }
 
 func main() {
+	cli.ParseFlags(os.Args[1:])
+
+	// preserve deprecated verbose flag
+	if viper.GetBool("verbose") {
+		setLogLevel("debug")
+	} else {
+		setLogLevel(viper.GetString("log-level"))
+		slog.Info("Log level initialized", "log-level", viper.GetString("log-level"))
+	}
+
+	// note mix of underscores and dashes
+	slog.Info("CLI flag values", "fetch-interval", viper.GetDuration("fetch_interval"), "refresh-interval", viper.GetDuration("refresh_interval"), "batch-size-percent", viper.GetFloat64("batch_size_percent") )
+
 	err := cli.Execute()
 	if err != nil {
-		log.Fatal(err)
+		log.Fatal("CLI execution failed:", err)
 	}
 }
 
@@ -83,13 +103,13 @@ func entrypoint() {
 	pkiMon := vaultMon.PKIMon{}
 	err := pkiMon.Init(vaultcli.Client)
 	if err != nil {
-		log.Errorln(err.Error())
+		slog.Error("PKIMon initialization failed", "error", err)
 	}
 
 	pkiMon.Watch(viper.GetDuration("fetch_interval"))
 
 	if viper.GetBool("prometheus") || !viper.GetBool("influx") {
-		log.Infoln("start prometheus exporter")
+		slog.Info("start prometheus exporter")
 		vaultMon.PromWatchCerts(&pkiMon, viper.GetDuration("refresh_interval"))
 		vaultMon.PromStartExporter(viper.GetInt("port"))
 	}
@@ -98,3 +118,23 @@ func entrypoint() {
 		vaultMon.InfluxWatchCerts(&pkiMon, viper.GetDuration("refresh_interval"), viper.GetBool("prometheus"))
 	}
 }
+
+// https://pkg.go.dev/log/slog#example-SetLogLoggerLevel-Log
+func setLogLevel(level string) {
+	var slogLevel slog.Level
+	switch level {
+	case "debug":
+		slogLevel = slog.LevelDebug
+	case "info":
+		slogLevel = slog.LevelInfo
+	case "warn":
+		slogLevel = slog.LevelWarn
+	case "error":
+		slogLevel = slog.LevelError
+	default:
+		slogLevel = slog.LevelInfo
+	}
+
+	handler := slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slogLevel})
+	slog.SetDefault(slog.New(handler))
+}

compose.yaml

@@ -28,6 +28,7 @@ services:
       - ./vault-pki-exporter
       - --fetch-interval=5s
       - --refresh-interval=5s
+      - --log-level=debug
     networks:
       - vault-pki-exporter
     ports: