ouranos/ansible/certbot/cert-metrics.sh.j2

#!/bin/bash
# Certificate metrics for Prometheus node_exporter textfile collector
# Managed by Ansible - DO NOT EDIT MANUALLY
#
# Writes metrics to: {{ prometheus_node_exporter_text_directory }}/ssl_cert.prom
# Metrics:
#   ssl_certificate_expiry_timestamp - Unix timestamp when cert expires
#   ssl_certificate_expiry_seconds - Seconds until expiry
#   ssl_certificate_valid - 1 if valid, 0 if expired or missing

set -euo pipefail

METRICS_DIR="{{ prometheus_node_exporter_text_directory }}"
METRICS_FILE="${METRICS_DIR}/ssl_cert.prom"
CERT_FILE="{{ haproxy_cert_path }}"
DOMAIN="{{ haproxy_domain }}"

# Create temp file for atomic write
TEMP_FILE=$(mktemp "${METRICS_DIR}/.ssl_cert.prom.XXXXXX")

# Write metric headers
cat > "${TEMP_FILE}" << 'EOF'
# HELP ssl_certificate_expiry_timestamp Unix timestamp when the SSL certificate expires
# TYPE ssl_certificate_expiry_timestamp gauge
# HELP ssl_certificate_expiry_seconds Seconds until the SSL certificate expires
# TYPE ssl_certificate_expiry_seconds gauge
# HELP ssl_certificate_valid Whether the SSL certificate is valid (1) or expired/missing (0)
# TYPE ssl_certificate_valid gauge
EOF

if [[ -f "${CERT_FILE}" ]]; then
    # Extract expiry date from certificate
    EXPIRY_DATE=$(openssl x509 -enddate -noout -in "${CERT_FILE}" 2>/dev/null | cut -d= -f2)
    
    if [[ -n "${EXPIRY_DATE}" ]]; then
        # Convert to Unix timestamp
        EXPIRY_TIMESTAMP=$(date -d "${EXPIRY_DATE}" +%s 2>/dev/null || echo "0")
        CURRENT_TIMESTAMP=$(date +%s)
        EXPIRY_SECONDS=$((EXPIRY_TIMESTAMP - CURRENT_TIMESTAMP))
        
        # Check if certificate is valid (not expired)
        if [[ ${EXPIRY_SECONDS} -gt 0 ]]; then
            VALID=1
        else
            VALID=0
        fi
        
        # Extract issuer for label
        ISSUER=$(openssl x509 -issuer -noout -in "${CERT_FILE}" 2>/dev/null | sed 's/.*O = \([^,]*\).*/\1/' | tr -d '"' || echo "unknown")
        
        # Write metrics
        echo "ssl_certificate_expiry_timestamp{domain=\"${DOMAIN}\",issuer=\"${ISSUER}\"} ${EXPIRY_TIMESTAMP}" >> "${TEMP_FILE}"
        echo "ssl_certificate_expiry_seconds{domain=\"${DOMAIN}\",issuer=\"${ISSUER}\"} ${EXPIRY_SECONDS}" >> "${TEMP_FILE}"
        echo "ssl_certificate_valid{domain=\"${DOMAIN}\",issuer=\"${ISSUER}\"} ${VALID}" >> "${TEMP_FILE}"
    else
        # Could not parse certificate
        echo "ssl_certificate_expiry_timestamp{domain=\"${DOMAIN}\",issuer=\"unknown\"} 0" >> "${TEMP_FILE}"
        echo "ssl_certificate_expiry_seconds{domain=\"${DOMAIN}\",issuer=\"unknown\"} 0" >> "${TEMP_FILE}"
        echo "ssl_certificate_valid{domain=\"${DOMAIN}\",issuer=\"unknown\"} 0" >> "${TEMP_FILE}"
    fi
else
    # Certificate file does not exist
    echo "ssl_certificate_expiry_timestamp{domain=\"${DOMAIN}\",issuer=\"none\"} 0" >> "${TEMP_FILE}"
    echo "ssl_certificate_expiry_seconds{domain=\"${DOMAIN}\",issuer=\"none\"} 0" >> "${TEMP_FILE}"
    echo "ssl_certificate_valid{domain=\"${DOMAIN}\",issuer=\"none\"} 0" >> "${TEMP_FILE}"
fi

# Set permissions and atomic move
chmod 644 "${TEMP_FILE}"
chown prometheus:prometheus "${TEMP_FILE}" 2>/dev/null || true
mv "${TEMP_FILE}" "${METRICS_FILE}"