Comment 2 for bug 1979539
Revision history for this message
| Giuseppe Petralia (peppepetra) wrote Re: Add Nrpe check for monitoring expiration of certs | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
Hi Frode, thanks for your reply.
If I read correctly you are suggesting to implement the check on the application providing the certs, which in our cases for OVN is 100% of times Vault.
I see some pros and cons of this choice:
Pros:
* we get out of the box monitoring for all certs provided by Vault, i.e. OpenStack API certs, Octavia certs, OVN certs etc.
Cons:
* We are only monitoring the certs that are in Vault. If the distribution of these certs fails, see LP#1940549, our monitoring will miss that as it will think the certs are all renewed but in reality the certs in the ovn-chassis or ovn-central units are still the old ones as Vault failed to provide the updated ones.
To be on the safe side, I think we should always monitor what is actually being used by the applications so I would like to see these checks in the OVN charms.