commit e003c170444903a836d40eb1e77ec36fc8150aef
Author: Rodrigo Barbieri <rodrigo.barbieri2010@gmail.com>
Date:   Fri Oct 2 16:31:38 2020 -0300

    Add new nagios check for vault health
    
    Improved check_vault_version.py to also
    check whether vault is sealed, therefore
    renaming it to check_vault_health.py.
    
    Registered the new check with NRPE and
    removed the old one.
    
    The alert of vault being sealed takes
    precedence over version checking.
    
    Closes-bug: #1856025
    Change-Id: I9b5ec739d27f35b793e91f61f070995105f80d06

diff --git a/src/files/nagios/check_vault_health.py b/src/files/nagios/check_vault_health.py
new file mode 100755
index 0000000..3790b5c
--- /dev/null
+++ b/src/files/nagios/check_vault_health.py
@@ -0,0 +1,87 @@
+#!/usr/bin/python3
+
+#
+# Copyright 2017 Canonical Ltd.
+#
+# Author:
+#   Paul Collins <paul.collins@canonical.com>
+#
+
+import json
+import socket
+import ssl
+import sys
+
+from textwrap import dedent
+from urllib.request import urlopen
+
+VAULT_HEALTH_URL = 'http://127.0.0.1:8220/v1/sys/health?standbycode=200&'\
+                   'drsecondarycode=200&'\
+                   'performancestandbycode=200&'\
+                   'sealedcode=200&'\
+                   'uninitcode=200'
+VAULT_VERIFY_SSL = False
+
+SNAPD_INFO_REQUEST = dedent("""\
+    GET /v2/snaps/{snap} HTTP/1.1\r
+    Host:\r
+    \r
+    """)
+
+SNAPD_SOCKET = '/run/snapd.socket'
+
+
+def get_vault_snap_version():
+    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as snapd:
+        snapd.connect(SNAPD_SOCKET)
+        snapd.sendall(SNAPD_INFO_REQUEST.format(snap='vault').encode('utf-8'))
+        # TODO(pjdc): This should be a loop.
+        info = json.loads(
+            snapd.recv(1024 * 1024).decode('utf-8').split('\n')[-1])
+        version = info['result']['version']
+        if version.startswith('v'):
+            version = version[1:]
+        return version
+
+
+def get_vault_server_health(verify=True):
+    ctx = None
+    if not verify:
+        ctx = ssl.create_default_context()
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+
+    with urlopen(VAULT_HEALTH_URL, context=ctx) as health:
+        return json.loads(health.read().decode('utf-8'))
+
+
+if __name__ == '__main__':
+    try:
+        snapv = get_vault_snap_version()
+    except Exception as e:
+        print('CRITICAL: failed to fetch version of '
+              'installed vault snap: {}'.format(e))
+        sys.exit(2)
+
+    try:
+        health = get_vault_server_health(verify=VAULT_VERIFY_SSL)
+    except Exception as e:
+        print('CRITICAL: failed to fetch health of '
+              'running vault server: {}'.format(e))
+        sys.exit(2)
+
+    if health['sealed'] is True:
+        print('CRITICAL: vault is sealed.')
+        sys.exit(2)
+
+    serverv = health['version']
+    if serverv == snapv:
+        print('OK: running vault ({}) is the same '
+              'as the installed snap ({})'.format(
+                  serverv, snapv))
+        sys.exit(0)
+
+    print('WARNING: running vault ({}) is not the same '
+          'as the installed snap ({})'.format(
+              serverv, snapv))
+    sys.exit(1)
diff --git a/src/files/nagios/check_vault_version.py b/src/files/nagios/check_vault_version.py
deleted file mode 100755
index 90b8c0b..0000000
--- a/src/files/nagios/check_vault_version.py
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/usr/bin/python3
-
-#
-# Copyright 2017 Canonical Ltd.
-#
-# Author:
-#   Paul Collins <paul.collins@canonical.com>
-#
-
-import json
-import socket
-import ssl
-import sys
-
-from textwrap import dedent
-from urllib.request import urlopen
-
-VAULT_HEALTH_URL = 'http://127.0.0.1:8220/v1/sys/health?standbycode=200&'\
-                   'drsecondarycode=200&'\
-                   'performancestandbycode=200&'\
-                   'sealedcode=200&'\
-                   'uninitcode=200'
-VAULT_VERIFY_SSL = False
-
-SNAPD_INFO_REQUEST = dedent("""\
-    GET /v2/snaps/{snap} HTTP/1.1\r
-    Host:\r
-    \r
-    """)
-
-SNAPD_SOCKET = '/run/snapd.socket'
-
-
-def get_vault_snap_version():
-    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as snapd:
-        snapd.connect(SNAPD_SOCKET)
-        snapd.sendall(SNAPD_INFO_REQUEST.format(snap='vault').encode('utf-8'))
-        # TODO(pjdc): This should be a loop.
-        info = json.loads(
-            snapd.recv(1024 * 1024).decode('utf-8').split('\n')[-1])
-        version = info['result']['version']
-        if version.startswith('v'):
-            version = version[1:]
-        return version
-
-
-def get_vault_server_version(verify=True):
-    ctx = None
-    if not verify:
-        ctx = ssl.create_default_context()
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
-
-    with urlopen(VAULT_HEALTH_URL, context=ctx) as health:
-        return json.loads(health.read().decode('utf-8'))['version']
-
-
-if __name__ == '__main__':
-    try:
-        snapv = get_vault_snap_version()
-    except Exception as e:
-        print('CRITICAL: failed to fetch version of '
-              'installed vault snap: {}'.format(e))
-        sys.exit(2)
-
-    try:
-        serverv = get_vault_server_version(verify=VAULT_VERIFY_SSL)
-    except Exception as e:
-        print('CRITICAL: failed to fetch version of '
-              'running vault server: {}'.format(e))
-        sys.exit(2)
-
-    if serverv == snapv:
-        print('OK: running vault ({}) is the same '
-              'as the installed snap ({})'.format(
-                  serverv, snapv))
-        sys.exit(0)
-
-    print('WARNING: running vault ({}) is not the same '
-          'as the installed snap ({})'.format(
-              serverv, snapv))
-    sys.exit(1)
diff --git a/src/reactive/vault_handlers.py b/src/reactive/vault_handlers.py
index 6393781..03d8ab6 100644
--- a/src/reactive/vault_handlers.py
+++ b/src/reactive/vault_handlers.py
@@ -1,4 +1,5 @@
 import base64
+import os
 import psycopg2
 import subprocess
 import tenacity
@@ -12,6 +13,7 @@ from charmhelpers.contrib.charmsupport.nrpe import (
     add_init_service_checks,
     get_nagios_hostname,
     get_nagios_unit_name,
+    remove_deprecated_check,
 )
 
 from charmhelpers.contrib.openstack.utils import (
@@ -380,15 +382,20 @@ def update_nagios(svc):
     hostname = get_nagios_hostname()
     current_unit = get_nagios_unit_name()
     nrpe = NRPE(hostname=hostname)
+    remove_deprecated_check(nrpe, ['vault_version'])
     add_init_service_checks(nrpe, ['vault'], current_unit)
+    try:
+        os.remove('/usr/lib/nagios/plugins/check_vault_version.py')
+    except FileNotFoundError:
+        pass
     write_file(
-        '/usr/lib/nagios/plugins/check_vault_version.py',
-        open('files/nagios/check_vault_version.py', 'rb').read(),
+        '/usr/lib/nagios/plugins/check_vault_health.py',
+        open('files/nagios/check_vault_health.py', 'rb').read(),
         perms=0o755)
     nrpe.add_check(
-        'vault_version',
-        'Check running vault server version is same as installed snap',
-        '/usr/lib/nagios/plugins/check_vault_version.py',
+        'vault_health',
+        'Check running vault server version and health',
+        '/usr/lib/nagios/plugins/check_vault_health.py',
     )
     nrpe.write()
     set_state('vault.nrpe.configured')