[jira] [Created] (NIFIREG-262) Add TLS certificates self-health check to actuator `/health` endpoint

["Kevin Doran (JIRA)" <ji...@apache.org>]

Kevin Doran created NIFIREG-262:
-----------------------------------

             Summary: Add TLS certificates self-health check to actuator `/health` endpoint
                 Key: NIFIREG-262
                 URL: https://issues.apache.org/jira/browse/NIFIREG-262
             Project: NiFi Registry
          Issue Type: New Feature
            Reporter: Kevin Doran
            Assignee: Kevin Doran


This feature idea started from a conversation with sd3 in Apache NiFi Slack: 
https://apachenifi.slack.com/archives/C0L9UPWJZ/p1556638630001200 

For folks that want to do external, automated monitoring, it is helpful if the web services being monitored can perform some self-health checks and expose the results in a web api (for example, a REST API endpoint that returns a JSON formatted result of self-health checks). 

For NiFi Registry, we have a {{GET /nifi-registry-api/actuator/health}} endpoint that can be used.

This feature idea is to add a health check that runs on demand as part of that endpoint that checks: if TLS is enabled (can get this from nifi-registry.properties), loads the SSLContext and checks that that certificates are valid and not expired. The results of this check, along with the expiration timestamps, can be reported in the health check results so that external monitoring tools (such as PagerDuty, Nagios, Prometheus Alert Manager, etc), could poll the endpoint, alert if the certs check fails, and trigger an alert in advance if the expiration timestamp is close.

This also applies to Apache NiFi, although I am not familiar if a standard {{/health}} endpoint already exists there or if one needs to be introduced.




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)