blade34242/vault-ops
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
vault-ops/archiv/test/health-check.sh
Blade34242 99f7685c35 New working setup
2025-09-22 10:27:22 +02:00

105 lines
3.9 KiB
Bash
Executable file
Raw Permalink Blame History

#!/usr/bin/env bash
# =====================================================
# VAULT AGENT HEALTH CHECK - Validates agent + certificates
# Exit codes: 0=OK, 1=WARNING, 2=CRITICAL
# =====================================================
set -euo pipefail
APP_NAME="${1:-app88}"
SERVICE_NAME="vault-agent-${APP_NAME}.service"
AGENT_DIR="${HOME}/.vault-agent-${APP_NAME}"
CERT_DIR="${HOME}/tls"
CERT_FILE="${CERT_DIR}/${APP_NAME}.test.fullchain.pem"
echo "[health] Checking Vault Agent for ${APP_NAME}..."
# === CHECK 1: SERVICE STATUS ===
if systemctl --user is-active --quiet "${SERVICE_NAME}"; then
echo "[health] ✅ Service ${SERVICE_NAME}: running"
SERVICE_STATUS=0
else
echo "[health] ❌ Service ${SERVICE_NAME}: stopped"
SERVICE_STATUS=2
exit 2
fi
# === CHECK 2: CREDENTIALS ===
if [[ -f "${AGENT_DIR}/role_id" && -s "${AGENT_DIR}/role_id" && \
-f "${AGENT_DIR}/secret_id" && -s "${AGENT_DIR}/secret_id" ]]; then
echo "[health] ✅ Credentials: role_id (${AGENT_DIR}/role_id, $(wc -c < "${AGENT_DIR}/role_id") bytes)"
echo "[health] ✅ Credentials: secret_id (${AGENT_DIR}/secret_id, $(wc -c < "${AGENT_DIR}/secret_id") bytes)"
CREDS_STATUS=0
else
echo "[health] ❌ Credentials: missing or empty"
CREDS_STATUS=2
fi
# === CHECK 3: CERTIFICATE FILES ===
if [[ -f "${CERT_FILE}" && -s "${CERT_FILE}" ]]; then
CERT_SIZE=$(wc -c < "${CERT_FILE}")
CERT_AGE=$(stat -c %Y "${CERT_FILE}")
DAYS_AGE=$(( ($(date +%s) - CERT_AGE) / 86400 ))
echo "[health] ✅ Certificate: ${CERT_FILE} (${CERT_SIZE} bytes, ${DAYS_AGE} days old)"
CERT_STATUS=0
else
echo "[health] ❌ Certificate: missing ${CERT_FILE}"
CERT_STATUS=1
fi
# === CHECK 4: CERTIFICATE VALIDITY ===
if [[ -f "${CERT_FILE}" ]]; then
# Check if cert expires within 7 days
if openssl x509 -checkend $((7*24*60*60)) -noout -in "${CERT_FILE}" 2>/dev/null; then
echo "[health] ✅ Certificate: Valid for 7+ days"
VALIDITY_STATUS=0
else
echo "[health] ⚠️ Certificate: Expires within 7 days - rotation needed"
VALIDITY_STATUS=1
fi
# Extract subject/common name
SUBJECT=$(openssl x509 -subject -noout -in "${CERT_FILE}" | sed 's/.*CN = //')
echo "[health] 📋 Certificate: Subject ${SUBJECT}"
else
VALIDITY_STATUS=1
fi
# === CHECK 5: TOKEN VALIDITY ===
if [[ -f "${AGENT_DIR}/token" && -s "${AGENT_DIR}/token" ]]; then
TOKEN=$(cat "${AGENT_DIR}/token")
if VAULT_TOKEN="${TOKEN}" vault token lookup >/dev/null 2>&1; then
TTL=$(VAULT_TOKEN="${TOKEN}" vault token lookup -format=json | jq -r '.data.ttl')
echo "[health] ✅ Token: Valid (${TTL}s remaining)"
TOKEN_STATUS=0
else
echo "[health] ❌ Token: Invalid or expired"
TOKEN_STATUS=2
fi
else
echo "[health] ⚠️ Token: Missing (normal during startup)"
TOKEN_STATUS=1
fi
# === SUMMARY ===
echo ""
echo "=================================================="
echo "[health] SUMMARY for ${APP_NAME}:"
echo "=================================================="
echo "Service: ${SERVICE_STATUS:+$(if [ $SERVICE_STATUS -eq 0 ]; then echo '✅'; else echo '❌'; fi)}"
echo "Credentials:${CREDS_STATUS:+$(if [ $CREDS_STATUS -eq 0 ]; then echo '✅'; else echo '❌'; fi)}"
echo "Certs: ${CERT_STATUS:+$(if [ $CERT_STATUS -eq 0 ]; then echo '✅'; else echo '⚠️ '; fi)}${DAYS_AGE:+${DAYS_AGE} days old}"
echo "Validity: ${VALIDITY_STATUS:+$(if [ $VALIDITY_STATUS -eq 0 ]; then echo '✅'; else echo '⚠️ '; fi)}"
echo "Token: ${TOKEN_STATUS:+$(if [ $TOKEN_STATUS -eq 0 ]; then echo '✅'; else echo '❌'; fi)}${TTL:+${TTL}s TTL}"
# === EXIT CODE ===
OVERALL_STATUS=$((SERVICE_STATUS + CREDS_STATUS + CERT_STATUS + VALIDITY_STATUS + TOKEN_STATUS))
if [[ $OVERALL_STATUS -eq 0 ]]; then
echo "[health] 🎉 OVERALL: HEALTHY"
exit 0
elif [[ $OVERALL_STATUS -le 5 ]]; then
echo "[health] ⚠️ OVERALL: WARNING (some issues)"
exit 1
else
echo "[health] ❌ OVERALL: CRITICAL (major issues)"
exit 2
fi
Reference in a new issue View git blame Copy permalink