https://github.com/orange-cloudfoundry/credhub_exporter
A prometheus exporter for credhub that monitors credential age and certificate expiration
https://github.com/orange-cloudfoundry/credhub_exporter
credhub prometheus prometheus-exporter
Last synced: 6 months ago
JSON representation
A prometheus exporter for credhub that monitors credential age and certificate expiration
- Host: GitHub
- URL: https://github.com/orange-cloudfoundry/credhub_exporter
- Owner: orange-cloudfoundry
- License: apache-2.0
- Created: 2018-08-09T14:10:22.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2025-04-09T03:21:45.000Z (about 1 year ago)
- Last Synced: 2025-04-09T04:23:35.078Z (about 1 year ago)
- Topics: credhub, prometheus, prometheus-exporter
- Language: Go
- Homepage:
- Size: 6.72 MB
- Stars: 5
- Watchers: 7
- Forks: 8
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Credhub Prometheus Exporter [](https://travis-ci.org/orange-cloudfoundry/credhub_exporter)
A [Prometheus][prometheus] exporter for [Credhub][credhub]. The exporter currently only exports metrics related to credhub objects, including [certificate](https://github.com/cloudfoundry-incubator/credhub/blob/master/docs/credential-types.md) objects (it does not yet provide metrics about the credhub server health such as error rates, response times, or total number of entries).
## Installation
### Binaries
Download the already existing [binaries][binaries] for your platform:
```bash
$ ./credhub_exporter
```
### From source
Using the standard `go install` (you must have [Go][golang] already installed in your local machine):
```bash
$ go install github.com/orange-cloudfoundry/credhub_exporter
$ credhub_exporter
```
### Docker
To run the credhub exporter as a Docker container, run:
```bash
$ docker run -p 9358:9358 orangeopensource/credhub-exporter
```
## Usage
### UAA Client
In order to connect to the [Credhub API][credhub_api] a `client-id` and `client-secret` must be provided. The `client-id` must have the `creadhub.read` authority.
For example, to create a new `client-id` and `client-secret` with the right permissions:
```bash
uaac target https:// --skip-ssl-validation
uaac token client get -s
uaac client add prometheus-credhub \
--name prometheus-credhub \
--secret prometheus-credhub-client-secret \
--authorized_grant_types client_credentials,refresh_token \
--authorities credhub.read,credhub.write
```
### Flags
| Flag / Environment Variable | Required | Default | Description |
|-----------------------------------------------------------------------------|----------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `credhub.api_url`
`CREDHUB_EXPORTER_API_URL` | Yes | | Credhub API URL |
| `credhub.client-id`
`CREDHUB_EXPORTER_CLIENT_ID` | Yes | | Credhub Client ID (must have the `credhub.read` scope) |
| `credhub.client-secret`
`CREDHUB_EXPORTER_CLIENT_SECRET` | Yes | | Credhub Client Secret |
| `credhub.proxy`
`CREDHUB_EXPORTER_PROXY` | No | | Socks proxy to open before connecting to credub |
| `credhub.ca-certs-path`
`CREDHUB_EXPORTER_CA_CERTS_PATH` | No | | Path to CA certificate to use when connecting credhub |
| `filters.name-like`
`CREDHUB_EXPORTER_FILTER_NAMELIKE` | No | | Fetch from server credentials whose name contains the [query string](https://credhub-api.cfapps.io/#find-credentials) (fetch all credentials when empty) |
| `filters.path`
`CREDHUB_EXPORTER_FILTER_PATH` | No | | Fetch from server credentials that exist under the provided path (ignored when `--filters.name-like` is not empty) |
| `filters.generic-certificates`
`CREDHUB_EXPORTER_GENERIC_CERTIFICATES` | No | `[]` | Json list of \ to match against name of certificate objects fetched from server. Only certificate objects whose name match at least one regexp will have an associated metric emitted. |
| `metrics.deployment-name`
`CREDHUB_EXPORTER_METRICS_DEPLOYMENT` | Yes | | Credhub Bosh Deployment Name to be reported as the `deployment` metric label |
| `metrics.namespace`
`CREDHUB_EXPORTER_METRICS_NAMESPACE` | No | `credhub` | Metrics Namespace |
| `metrics.environment`
`CREDHUB_EXPORTER_METRICS_ENVIRONMENT` | Yes | | Credhub `environment` label to be attached to metrics |
| `metrics.udpate-interval`
`CREDHUB_EXPORTER_METRICS_UPDATE_INTERVAL` | No | `6h` | Metrics update interval given as golang duration format |
| `skip-ssl-verify`
`CREDHUB_EXPORTER_SKIP_SSL_VERIFY` | No | `false` | Disable SSL Verify |
| `web.listen-address`
`CREDHUB_EXPORTER_WEB_LISTEN_ADDRESS` | No | `:9358` | Address to listen on for web interface and telemetry |
| `web.telemetry-path`
`CREDHUB_EXPORTER_WEB_TELEMETRY_PATH` | No | `/metrics` | Path under which to expose Prometheus metrics |
| `web.auth.username`
`CREDHUB_EXPORTER_WEB_AUTH_USERNAME` | No | | Username for web interface basic auth |
| `web.auth.password`
`CREDHUB_EXPORTER_WEB_AUTH_PASSWORD` | No | | Password for web interface basic auth |
| `web.tls.cert_file`
`CREDHUB_EXPORTER_WEB_TLS_CERTFILE` | No | | Path to a file that contains the TLS certificate (PEM format). If the certificate is signed by a certificate authority, the file should be the concatenation of the server's certificate, any intermediates, and the CA's certificate |
| `web.tls.key_file`
`CREDHUB_EXPORTER_WEB_TLS_KEYFILE` | No | | Path to a file that contains the TLS private key (PEM format) |
### Metrics
The exporter returns the following credhub objects metrics:
| Metric | Description | Labels |
|--------------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------------|
| *metrics.namespace*_credential_created_at | Unix timestamp of the creation of the last version of a given credential | `deployment`, `environment`, `id`, `name`, `path` |
| *metrics.namespace*_certificate_expires_at | Unix timestamp of the expiration time of a given certificate | `deployment`, `environment`, `id`, `name`, `path`, `index` |
| *metrics.namespace*_last_scrap_error | Number of credentials that the exporter failed to read during last scrape | `deployment`, `environment` |
## Contributing
Refer to the [contributing guidelines][contributing].
## License
Apache License 2.0, see [LICENSE][license].
[binaries]: https://github.com/orange-cloudfoundry/credhub_exporter/releases
[credhub]: https://github.com/cloudfoundry-incubator/credhub
[credhub_api]: https://credhub-api.cfapps.io/
[cloudfoundry]: https://www.cloudfoundry.org/
[contributing]: https://github.com/orange-cloudfoundry/credhub_exporter/blob/master/CONTRIBUTING.md
[faq]: https://github.com/bosh-prometheus/credhub_exporter/blob/master/FAQ.md
[golang]: https://golang.org/
[license]: https://github.com/orange-cloudfoundry/credhub_exporter/blob/master/LICENSE
[prometheus]: https://prometheus.io/
[prometheus-boshrelease]: https://github.com/bosh-prometheus/prometheus-boshrelease