A prometheus/influxdb exporter for FreeIPA metrics
Go to file
2024-03-04 01:06:16 -06:00
.github/workflows Move to goreleaser 2024-03-04 01:06:16 -06:00
.vscode First commit 2023-09-05 11:47:46 -05:00
test First commit 2023-09-05 11:47:46 -05:00
.gitignore Move to goreleaser 2024-03-04 01:06:16 -06:00
.goreleaser.yaml Move to goreleaser 2024-03-04 01:06:16 -06:00
config.go Fix group membership default config 2024-03-03 23:29:53 -06:00
flags.go First commit 2023-09-05 11:47:46 -05:00
freeipa_metrics.go First commit 2023-09-05 11:47:46 -05:00
freeipa_test.go First commit 2023-09-05 11:47:46 -05:00
freeipa.go First commit 2023-09-05 11:47:46 -05:00
go.mod First commit 2023-09-05 11:47:46 -05:00
go.sum First commit 2023-09-05 11:47:46 -05:00
http_test.go First commit 2023-09-05 11:47:46 -05:00
http.go First commit 2023-09-05 11:47:46 -05:00
influx_test.go First commit 2023-09-05 11:47:46 -05:00
influx.go First commit 2023-09-05 11:47:46 -05:00
ldap_metrics.go First commit 2023-09-05 11:47:46 -05:00
ldap_test.go First commit 2023-09-05 11:47:46 -05:00
ldap.go First commit 2023-09-05 11:47:46 -05:00
LICENSE.txt Move to goreleaser 2024-03-04 01:06:16 -06:00
main.go First commit 2023-09-05 11:47:46 -05:00
README.md Move to goreleaser 2024-03-04 01:06:16 -06:00
test_utils.go First commit 2023-09-05 11:47:46 -05:00

freeipa-health-metrics

A prometheus/influxdb exporter for FreeIPA metrics to provide indication of cluster health.

Requirements:

  • FreeIPA 4 or later
  • Golang 1.20 or later
  • FreeIPA user with admin privileges

Install

You can install either by downloading the latest binary release or by building.

Building

Building should be as simple as running:

go build

Running as a service

You are likely going to want to run the exporter as a service to ensure it runs at boot and restarts in case of failures. Below is an example service config file you can place in /etc/systemd/system/freeipa-health-metrics.service on a linux system to run as a service if you install the binary in /usr/local/bin/.

[Unit]
Description=FreeIPA Health Metrics
After=network.target
StartLimitIntervalSec=500
StartLimitBurst=5

[Service]
ExecStart=/usr/local/bin/freeipa-health-metrics
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

Once the service file is installed, you can run the following to start it:

systemctl daemon-reload
systemctl start freeipa-health-metrics.service

Config

The default configuration paths are:

  • ./config.yaml - A file in the current working directory.
  • ~/.config/freeipa-health-metrics/config.yaml - A file in your home directory's config path.
  • /etc/ipa/freeipa-health-metrics.yaml - A file in the IPA config folder.

For local monitoring

---
ldap:
  insecure_skip_verify: true
  connect_method: Secure
  base_dn: dc=example,dc=com
  bind_dn: uid=freeipa-health-metrics,cn=users,cn=accounts,dc=example,dc=com
  bind_password: PASSWORD

freeipa:
  krb5_realm: EXAMPLE.COM
  insecure_skip_verify: true
  username: freeipa-health-metrics
  password: PASSWORD

For remote monitoring

---
hostname: ipa1.example.com
ldap:
  insecure_skip_verify: true
  connect_method: Secure
  base_dn: dc=example,dc=com
  bind_dn: uid=freeipa-health-metrics,cn=users,cn=accounts,dc=example,dc=com
  bind_password: PASSWORD

freeipa:
  krb5_realm: EXAMPLE.COM
  insecure_skip_verify: true
  username: freeipa-health-metrics
  password: PASSWORD

  # Disable metrics which only work locally.
  disabled_metrics:
    - krb5_auth
    - krb5_workers
    - proxy_secret
    - group_members
    - ipa_cert_auto_renew
    - ldap_cert_auto_renew

Output to InfluxDB only

---
ldap:
  insecure_skip_verify: true
  connect_method: Secure
  base_dn: dc=example,dc=com
  bind_dn: uid=freeipa-health-metrics,cn=users,cn=accounts,dc=example,dc=com
  bind_password: PASSWORD

freeipa:
  krb5_realm: EXAMPLE.COM
  insecure_skip_verify: true
  username: freeipa-health-metrics
  password: PASSWORD

influx_output:
  frequency: 5m
  influx_server: http://example.com:8086
  token: INFLUX_TOKEN
  org: company
  bucket: freeipa

http:
  enabled: false