From 1b0096671955a754db5caee597b331951a307177 Mon Sep 17 00:00:00 2001
From: Seyeong Kim <seyeong.kim@canonical.com>
Date: Tue, 30 Apr 2024 02:30:50 +0000
Subject: [PATCH] Making cert alert more critical

Curretnly, only gets warning until zeroday.
Adding CRITICAL alert 30 days in advance.
WARNING alert 60 days in advance.

Related-Bug: #2063814
Change-Id: I76a53b483070398d4ab9e40f6a1e167d46f47f96
---
 src/files/scripts/check_ovn_certs.py | 34 ++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/src/files/scripts/check_ovn_certs.py b/src/files/scripts/check_ovn_certs.py
index 420fbdf..e8c75b0 100755
--- a/src/files/scripts/check_ovn_certs.py
+++ b/src/files/scripts/check_ovn_certs.py
@@ -21,6 +21,13 @@ from cryptography.hazmat.backends import default_backend
 from cryptography import x509
 
 NAGIOS_PLUGIN_DATA = '/usr/local/lib/nagios/juju_charm_plugin_data'
+UNKNOWN = 3
+CRITICAL = 2
+WARN = 1
+SUCCESS = 0
+
+CERT_EXPIRY_CRITICAL_LIMIT = 30
+CERT_EXPIRY_WARN_LIMIT = 60
 
 
 class SSLCertificate(object):
@@ -47,36 +54,43 @@ def check_ovn_certs():
     if not os.path.isdir(NAGIOS_PLUGIN_DATA):
         os.makedirs(NAGIOS_PLUGIN_DATA)
 
-    exit_code = 0
+    exit_code = SUCCESS
     for cert in ['/etc/ovn/cert_host', '/etc/ovn/ovn-central.crt']:
         if not os.path.exists(cert):
             message = "cert '{}' does not exist.".format(cert)
-            exit_code = 2
+            exit_code = CRITICAL
             break
 
         if not os.access(cert, os.R_OK):
             message = "cert '{}' is not readable.".format(cert)
-            exit_code = 2
+            exit_code = CRITICAL
             break
 
         try:
             remaining_days = SSLCertificate(cert).days_remaining
             if remaining_days <= 0:
                 message = "{}: cert has expired.".format(cert)
-                exit_code = 2
+                exit_code = CRITICAL
                 break
 
-            if remaining_days < 10:
-                message = ("{}: cert will expire soon (less than 10 days).".
-                           format(cert))
-                exit_code = 1
+            if remaining_days < CERT_EXPIRY_CRITICAL_LIMIT:
+                message = ("{}: cert will expire in {} days".
+                           format(cert, remaining_days))
+                exit_code = CRITICAL
                 break
+
+            if remaining_days < CERT_EXPIRY_WARN_LIMIT:
+                message = ("{}: cert will expire in {} days".
+                           format(cert, remaining_days))
+                exit_code = WARN
+                break
+
         except Exception as exc:
             message = "failed to check cert '{}': {}".format(cert, str(exc))
-            exit_code = 1
+            exit_code = UNKNOWN
     else:
         message = "all certs healthy"
-        exit_code = 0
+        exit_code = SUCCESS
 
     ts = datetime.now()
     with open(output_path, 'w') as fd: