charm-kubernetes-service-checks

Merge ~whereisrysmind/charm-kubernetes-service-checks:master into charm-kubernetes-service-checks:master

Git
lp:~whereisrysmind/charm-kubernetes-service-checks
master
Merge into master

Proposed by Xav Paice on 2020-07-30

Status:	Superseded
Proposed branch:	~whereisrysmind/charm-kubernetes-service-checks:master
Merge into:	charm-kubernetes-service-checks:master
Diff against target:	1917 lines (+1742/-1) 28 files modified .gitignore (+25/-0) .gitmodules (+3/-1) Makefile (+78/-0) README.md (+96/-0) config.yaml (+38/-0) files/plugins/check_kubernetes_api.py (+118/-0) hooks/install (+1/-0) lib/.empty (+0/-0) lib/charmhelpers (+1/-0) lib/lib_kubernetes_service_checks.py (+159/-0) lib/ops (+1/-0) metadata.yaml (+26/-0) mod/.empty (+0/-0) mod/charm-helpers (+1/-0) src/charm.py (+190/-0) src/setuppath.py (+4/-0) tests/functional/requirements.txt (+1/-0) tests/functional/tests/bundles/bionic.yaml (+90/-0) tests/functional/tests/bundles/focal.yaml (+90/-0) tests/functional/tests/bundles/xenial.yaml (+90/-0) tests/functional/tests/kubernetes_service_checks.py (+162/-0) tests/functional/tests/tests.yaml (+33/-0) tests/unit/requirements.txt (+5/-0) tests/unit/setuppath.py (+6/-0) tests/unit/test_charm.py (+243/-0) tests/unit/test_lib_ksc.py (+164/-0) tests/unit/test_plugins.py (+65/-0) tox.ini (+52/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Ryan Farrell	2020-07-30	Pending
Joe Guo	2020-07-30	Pending
Adam Dyess	2020-07-30	Pending
Paul Goins	2020-07-30	Pending
Giuseppe Petralia	2020-07-30	Pending
Review via email: mp+388351@code.launchpad.net

This proposal supersedes a proposal from 2020-07-22.

This proposal has been superseded by a proposal from 2020-07-30.

Commit message

Initial charm for Kubernetes Service Checks

Currently 2 NRPE checks:
- check_http for cert expirations
- check_k8s_api_health for api responding

3 Relations required:
  - nrpe:nrpe-external-master
  - kubernetes-master:kube-api-endpoint
  - kubernetes-master:kube-control

Charm will block if the relations are not configured or if required data
is missing.

+ Unit tests (passing)
+ Functional tests (passing)
+ lint & black (passing)

Description of the change

Initial charm for Kubernetes Service Checks

Revision history for this message

Giuseppe Petralia (peppepetra) wrote on 2020-07-20: Posted in a previous version of this proposal

Generally code looks good.

The only comment I have is on the self.state.configured. It is not changed to False when a config changed is happening or a relation has joined, changed or departed (it is set to false only on departed), while it should be to reflect that this state is controlling whether check_charm_status should reconfigure or not the unit.

Also the self.helper.configure() is called in check_charm_status without checking if this state is true or false, while seems that this should be called only if configured is false.

Same for self.helper.update_tls_certificates(). This is needed only on initial deploy (and configured is False at the beginning) or later if a config_changed has occurred as the certificate can be updated only on a config changed at this stage.

Maybe i am not reading this state correctly. In this case more information are needed.

review: Needs Information

Revision history for this message

Ryan Farrell (whereisrysmind) wrote on 2020-07-20: Posted in a previous version of this proposal

Giuseppe,
I addressed your comment , I agree it needed more consistent handling of the configured flag, and thusly for when to perform the configuration. Unit tests and functional tests are still passing.

Revision history for this message

Giuseppe Petralia (peppepetra) wrote on 2020-07-21: Posted in a previous version of this proposal

All tests passes. `make test` is blocked by charm proof that is testing things that are not valid for operator charm. I would suggest adding @-charm proof to ignore any error.

I am +1 to merge it.

Thanks.

review: Approve

Revision history for this message

Ryan Farrell (whereisrysmind) wrote on 2020-07-22: Posted in a previous version of this proposal

All comments have been address. Ready for review.

review: Needs Resubmitting

Revision history for this message

Paul Goins (vultaire) wrote on 2020-07-24: Posted in a previous version of this proposal

No major concerns. A few typos which should be fixed though (since copy/pasting would give errors).

There's also a suggested rework regarding the zaza bundles; this methodology has been used in a few other charms to reduce duplication. I think it would be a really good fit here, too.

review: Needs Fixing

Unmerged commits

3100e6a... by Ryan Farrell on 2020-07-22

Ignoring make errors on 'charm proof'

ac15205... by Ryan Farrell on 2020-07-21

Moved SSL coniguration block

5e57fec... by Ryan Farrell on 2020-07-20

Edited when ssl configuration occurs

003175a... by Ryan Farrell on 2020-07-20

Fixed charm configured flag handling

51c4121... by Ryan Farrell on 2020-07-20

Set required args in nrpe plugin

6f49451... by Ryan Farrell on 2020-07-19

Blackened code

05632f6... by Ryan Farrell on 2020-07-17

Replaced eval with json.loads

184e030... by Ryan Farrell on 2020-07-17

Added focal functional test bundle

296fbef... by Ryan Farrell on 2020-07-17

Some cleanup

- Merge some docstrings with neighboring comments
- Added Black section to Makefile
- Removed repeated set status calls in the charm

a17ae30... by Ryan Farrell on 2020-07-17

Fixed issues with SSL Host Key verification

- Added step to base64 decode of the SSL cert
- Changed plugin default to check SSL host key
- Updated unit tests
- Fixed fixed functional tests

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Ryan Farrell

 diff --git a/.gitignore b/.gitignore
 new file mode 100644
 index 0000000..f04567f
 --- /dev/null
 +++ b/.gitignore
@@ -0,0 +1,25 @@
++# Byte-compiled / optimized / DLL files
++__pycache__/
++*.py[cod]
++*$py.class
++
++# Log files
++*.log
++
++.tox/
++.coverage
++
++# vi
++.*.swp
++
++# pycharm
++.idea/
++
++# version data
++repo-info
++
++# reports
++report/*
++
++# coverage
++htmlcov/*
 diff --git a/.gitmodules b/.gitmodules
 index 0b10c26..2970f9f 100644
 --- a/.gitmodules
 +++ b/.gitmodules
@@ -1,4 +1,6 @@
  [submodule "mod/operator"]
  	path = mod/operator
  	url = https://github.com/canonical/operator.git
--	branch = 0.7.0
++[submodule "mod/charm-helpers"]
++	path = mod/charm-helpers
++	url = https://github.com/juju/charm-helpers.git
 diff --git a/Makefile b/Makefile
 new file mode 100644
 index 0000000..d1435c4
 --- /dev/null
 +++ b/Makefile
@@ -0,0 +1,78 @@
++PYTHON := /usr/bin/python3
++
++ifndef CHARM_BUILD_DIR
++	CHARM_BUILD_DIR=/tmp/charm-builds
++endif
++
++PROJECTPATH=$(dir $(realpath $(MAKEFILE_LIST)))
++METADATA_FILE="metadata.yaml"
++CHARM_NAME=$(shell cat ${PROJECTPATH}/${METADATA_FILE} | grep -E '^name:' | awk '{print $$2}')
++
++help:
++	@echo "This project supports the following targets"
++	@echo ""
++	@echo " make help - show this text"
++	@echo " make clean - remove unneeded files"
++	@echo " make submodules - make sure that the submodules are up-to-date"
++	@echo " make build - build the charm"
++	@echo " make release - run clean, submodules and build targets"
++	@echo " make lint - run flake8 and black"
++	@echo " make proof - run charm proof"
++	@echo " make unittests - run the tests defined in the unittest subdirectory"
++	@echo " make functional - run the tests defined in the functional subdirectory"
++	@echo " make test - run lint, proof, unittests and functional targets"
++	@echo ""
++
++clean:
++	@echo "Cleaning files"
++	@if [ -d .tox ] ; then rm -r .tox ; fi
++	@if [ -d .pytest_cache ] ; then rm -r .pytest_cache ; fi
++	@if [ -d .idea ] ; then rm -r .idea ; fi
++	@if [ -d .coverage ] ; then rm -r .coverage ; fi
++	@if [ -d report ] ; then rm -r report ; fi
++	@find . -iname __pycache__ -exec rm -r {} +
++	@find . -type f -name "*.py[cod]" -delete
++	@find . -type f -name "*$py.class" -delete
++	@find . -type f -name "*.log" -delete
++	@find . -type f -name "*.swp" -delete
++	@find . -type f -name ".unit-state.db" -delete
++	@echo "Cleaning existing build"
++	@rm -rf ${CHARM_BUILD_DIR}/${CHARM_NAME}
++
++submodules:
++	@echo "Cloning submodules"
++	@git submodule update --init --recursive
++
++build:
++	@echo "Building charm to base directory ${CHARM_BUILD_DIR}/${CHARM_NAME}"
++	@-git describe --tags > ./repo-info
++	@mkdir -p ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@cp -r ./* ${CHARM_BUILD_DIR}/${CHARM_NAME}
++	@echo "Installing/updating env from requirements.txt"
++	@mkdir -p ${CHARM_BUILD_DIR}/${CHARM_NAME}/env/
++	@if [ -f requirements.txt ] ; then @pip3 install --target=${CHARM_BUILD_DIR}/${CHARM_NAME}/env -r requirements.txt --upgrade ; fi
++
++release: clean submodules build
++	@echo "Charm is built at ${CHARM_BUILD_DIR}/${CHARM_NAME}"
++
++lint:
++	@echo "Running lint checks"
++	@tox -e lint
++
++proof:
++	@echo "Running charm proof"
++	@-charm proof
++
++unittests:
++	@echo "Running unit tests"
++	@tox -e unit
++
++functional: build
++	@echo "Executing functional tests in ${CHARM_BUILD_DIR}"
++	@CHARM_BUILD_DIR=${CHARM_BUILD_DIR} tox -e func
++
++test: lint proof unittests functional
++	@echo "Tests completed for charm ${CHARM_NAME}."
++
++# The targets below don't depend on a file
++.PHONY: help submodules clean build release lint proof unittests functional test
 \ No newline at end of file
 diff --git a/README.md b/README.md
 new file mode 100644
 index 0000000..1a50bd9
 --- /dev/null
 +++ b/README.md
@@ -0,0 +1,96 @@
++# kubernetes-service-checks Charm
++
++Overview
++--------
++
++This charm provides Kubernetes Service checks for Nagios
++
++Quickstart
++----------
++
++    juju deploy cs:kubernetes-service-checks
++    juju add-relation kubernetes-service-checks nrpe
++    juju add-relation kubernetes-service-checks:kube-api-endpoint kubernetes-master
++    juju add-relation kuberentes-service-checks:kube-control kuberentes-master
++
++
++
++
++### Relations
++
++* **kubernetes-master:kube-api-endpoint** - Provides KSC with the kubernetes-api *hostname* and *port*
++
++* **kuberentes-master:kube-control** - Provides KSC with a kuberentes-api *client-token* for authentication
++
++* **nrpe:nrpe-external-master** - Required for nagios; provides additional plugins
++
++
++**Note:** Future relations with kubernetes-master *may* be changed so that a
++single relation can provide the K8S api hostname, port, client token and ssl ca
++cert.
++
++### Config Options
++
++**trusted_ssl_ca** *(Optional)* Setting this option enables SSL host
++certificate authentication in the api checks
++
++    juju config kubernetes-service-checks trusted_ssl_ca="${KUBERNETES_API_CA}"
++
++
++Service Checks
++--------------
++The plugin *check_kubernetes_api.py* ships with this charm and contains an array of checks for the k8s api health.
++
++```
++check_kubernetes_api.py --help
++usage: check_kubernetes_api.py [-h] [-H HOST] [-P PORT] [-T CLIENT_TOKEN]
++                               [--check health] [-C SSL_CA_PATH]
++
++Check Kubernetes API status
++
++optional arguments:
++  -h, --help            show this help message and exit
++  -H HOST, --host HOST  Hostname or IP of the kube-api-server (default: None)
++  -P PORT, --port PORT  Port of the kube-api-server (default: 6443)
++  -T CLIENT_TOKEN, --token CLIENT_TOKEN
++                        Client access token for authenticate with the
++                        Kubernetes API (default: None)
++  --check health        which check to run (default: health)
++  -C SSL_CA_PATH, --trusted-ca-cert SSL_CA_PATH
++                        String containing path to the trusted CA certificate
++                        (default: None)
++
++```
++
++**health** - This polls the kubernetes-api */healthz* endpoint. Posting a GET to this URL endpoint is expected to
++return 200 - 'ok' if the api is healthy, otherwise 500.
++
++
++Other Checks
++------------
++
++**Certificate Expiration:** The *check_http* plugin is shipped with nrpe, and contains a built in cert expiration check. The warning and crit
++thesholds are configurable:
++
++    juju config kubernetes-service-checks tls_warn_days=90
++    juju config kubernetes-service-checks tls_crit_days=30
++
++Testing
++-------
++
++Juju should be installed and bootstrapped on the system to run functional tests.
++
++
++```
++    export MODEL_SETTINGS=<semicolon-separated list of "juju model-config" settings>
++    make test
++```
++
++NOTE: If you are behind a proxy, be sure to export a MODEL_SETTINGS variable as
++described above. Note that you will need to use the juju-http-proxy, juju-https-proxy, juju-no-proxy
++and similar settings.
++
++Contact
++-------
++ - Author: **Bootstack Charmers** *<bootstack-charmers@lists.canonical.com>*
++ - Bug Tracker: [lp:charm-kubernetes-service-checks](https://launchpad.net/charm-kubernetes-service-checks)
 diff --git a/config.yaml b/config.yaml
 new file mode 100644
 index 0000000..8560b6e
 --- /dev/null
 +++ b/config.yaml
@@ -0,0 +1,38 @@
++options:
++  channel:
++    type: string
++    default: 1.18/stable
++    description: |
++      Snap channel to install kubectl from
++  nagios_context:
++    default: "juju"
++    type: string
++    description: |
++      Used by the nrpe subordinate charms.
++      A string that will be prepended to instance name to set the host name
++      in nagios. So for instance the hostname would be something like:
++          juju-myservice-0
++      If you're running multiple environments with the same services in them
++      this allows you to differentiate between them.
++  nagios_servicegroups:
++    default: ""
++    type: string
++    description: |
++      A comma-separated list of nagios servicegroups.
++      If left empty, the nagios_context will be used as the servicegroup
++  tls_warn_days:
++    type: int
++    default: 60
++    description: |
++      Number of days left for the TLS certificate to expire before Warning.
++  tls_crit_days:
++    type: int
++    default: 30
++    description: |
++      Number of days left for the TLS certificate to expire before alerting Critical.
++  # temporary config setting for trusted SSL CA (see LP1886982)
++  trusted_ssl_ca:
++    type: string
++    default: ""
++    description: |
++      base64 encoded SSL ca cert to use for Kubernetes API client connections.
 \ No newline at end of file
 diff --git a/files/plugins/check_kubernetes_api.py b/files/plugins/check_kubernetes_api.py
 new file mode 100755
 index 0000000..ad91f26
 --- /dev/null
 +++ b/files/plugins/check_kubernetes_api.py
@@ -0,0 +1,118 @@
++#!/usr/bin/python3
++"""NRPE Plugin for checking Kubernetes API."""
++
++import argparse
++import sys
++
++import urllib3
++
++NAGIOS_STATUS_OK = 0
++NAGIOS_STATUS_WARNING = 1
++NAGIOS_STATUS_CRITICAL = 2
++NAGIOS_STATUS_UNKNOWN = 3
++
++NAGIOS_STATUS = {
++    NAGIOS_STATUS_OK: "OK",
++    NAGIOS_STATUS_WARNING: "WARNING",
++    NAGIOS_STATUS_CRITICAL: "CRITICAL",
++    NAGIOS_STATUS_UNKNOWN: "UNKNOWN",
++}
++
++
++def nagios_exit(status, message):
++    """Return the check status in Nagios preferred format.
++
++    :param status: Nagios Check status code (in [0, 1, 2, 3])
++    :param message: Message describing the status
++    :return: sys.exit("{status_string}: {message}")
++    """
++    assert status in NAGIOS_STATUS, "Invalid Nagios status code"
++    # prefix status name to message
++    output = "{}: {}".format(NAGIOS_STATUS[status], message)
++    print(output)  # nagios requires print to stdout, no stderr
++    sys.exit(status)
++
++
++def check_kubernetes_health(k8s_address, client_token, disable_ssl):
++    """Call <kubernetes-api>/healthz endpoint and check return value is 'ok'.
++
++    :param k8s_address: Address to kube-api-server formatted 'https://<IP>:<PORT>'
++    :param client_token: Token for authenticating with the kube-api
++    :param disable_ssl: Disables SSL Host Key verification
++    """
++    url = k8s_address + "/healthz"
++    if disable_ssl:
++        # perform check without SSL verification
++        http = urllib3.PoolManager(cert_reqs="CERT_NONE", assert_hostname=False)
++    else:
++        http = urllib3.PoolManager()
++
++    try:
++        resp = http.request("GET", url, headers={"Authorization": "Bearer {}".format(client_token)})
++    except urllib3.exceptions.MaxRetryError as e:
++        return NAGIOS_STATUS_CRITICAL, e
++
++    if resp.status != 200:
++        return NAGIOS_STATUS_CRITICAL, "Unexpected HTTP Response code ({})".format(resp.status)
++    elif resp.data != b"ok":
++        return NAGIOS_STATUS_WARNING, "Unexpected Kubernetes healthz status '{}'".format(resp.data)
++    return NAGIOS_STATUS_OK, "Kubernetes health 'ok'"
++
++
++if __name__ == "__main__":
++    parser = argparse.ArgumentParser(
++        description="Check Kubernetes API status", formatter_class=argparse.ArgumentDefaultsHelpFormatter,
++    )
++
++    parser.add_argument("-H", "--host", dest="host", help="Hostname or IP of the kube-api-server", required=True)
++
++    parser.add_argument(
++        "-P", "--port", dest="port", type=int, default=6443, help="Port of the kube-api-server", required=True
++    )
++
++    parser.add_argument(
++        "-T", "--token", dest="client_token", help="Client access token for authenticate with the Kubernetes API"
++    )
++
++    check_choices = ["health"]
++    parser.add_argument(
++        "--check",
++        dest="check",
++        metavar="|".join(check_choices),
++        type=str,
++        choices=check_choices,
++        default=check_choices[0],
++        help="which check to run",
++    )
++
++    parser.add_argument(
++        "-d",
++        "--disable-host-key-check",
++        dest="disable_host_key_check",
++        default=False,
++        action="store_true",
++        help="Disables Host SSL Key Authentication",
++    )
++    args = parser.parse_args()
++
++    checks = {
++        "health": check_kubernetes_health,
++    }
++
++    k8s_url = "https://{}:{}".format(args.host, args.port)
++    nagios_exit(*checks[args.check](k8s_url, args.client_token, args.disable_host_key_check))
++
++"""
++TODO: Future Checks
++
++GET /api/v1/componentstatuses HTTP/1.1
++Authorization: Bearer $TOKEN
++Accept: application/json
++Connection: close
++
++GET /api/va/nodes HTTP/1.1
++Authorization: Bearer $TOKEN
++Accept: application/json
++Connection: close
++
++"""
 diff --git a/hooks/install b/hooks/install
 new file mode 120000
 index 0000000..25b1f68
 --- /dev/null
 +++ b/hooks/install
@@ -0,0 +1 @@
++../src/charm.py
 \ No newline at end of file
 diff --git a/lib/.empty b/lib/.empty
 new file mode 100644
 index 0000000..e69de29
 --- /dev/null
 +++ b/lib/.empty
 diff --git a/lib/charmhelpers b/lib/charmhelpers
 new file mode 120000
 index 0000000..cedc09e
 --- /dev/null
 +++ b/lib/charmhelpers
@@ -0,0 +1 @@
++../mod/charm-helpers/charmhelpers
 \ No newline at end of file
 diff --git a/lib/lib_kubernetes_service_checks.py b/lib/lib_kubernetes_service_checks.py
 new file mode 100644
 index 0000000..14db4e6
 --- /dev/null
 +++ b/lib/lib_kubernetes_service_checks.py
@@ -0,0 +1,159 @@
++"""Kubernetes Service Checks Helper Library."""
++import base64
++import json
++import logging
++import os
++import subprocess
++
++from charmhelpers.contrib.charmsupport.nrpe import NRPE
++from charmhelpers.core import hookenv, host
++from charmhelpers.fetch import snap
++
++CERT_FILE = "/usr/local/share/ca-certificates/kubernetes-service-checks.crt"
++NAGIOS_PLUGINS_DIR = "/usr/local/lib/nagios/plugins/"
++
++
++class KSCHelper:
++    """Kubernetes Service Checks Helper Class."""
++
++    def __init__(self, config, state):
++        """Initialize the Helper with the charm config and state."""
++        self.config = config
++        self.state = state
++
++    @property
++    def kubernetes_api_address(self):
++        """Get kubernetes api hostname."""
++        return self.state.kube_api_endpoint.get("hostname", None)
++
++    @property
++    def kubernetes_api_port(self):
++        """Get kubernetes api port."""
++        return self.state.kube_api_endpoint.get("port", None)
++
++    @property
++    def kubernetes_client_token(self):
++        """Get kubernetes client token."""
++        try:
++            data = json.loads(self.state.kube_control.get("creds", "{}"))
++        except json.decoder.JSONDecodeError:
++            data = {}
++        for creds in data.values():
++            token = creds.get("client_token", None)
++            if token:
++                return token
++        return None
++
++    @property
++    def use_tls_cert(self):
++        """Check if SSL cert is provided for use."""
++        return bool(self._ssl_certificate)
++
++    @property
++    def _ssl_certificate(self):
++        # TODO: Expand this later to take a cert from a relation or from the config.
++        # cert from the relation is to be prioritized
++        ssl_cert = self.config.get("trusted_ssl_ca", None)
++        if ssl_cert:
++            ssl_cert = ssl_cert.strip()
++        return ssl_cert
++
++    @property
++    def ssl_cert_path(self):
++        """Get cert file path."""
++        return CERT_FILE
++
++    @property
++    def plugins_dir(self):
++        """Get nagios plugins directory."""
++        return NAGIOS_PLUGINS_DIR
++
++    def restart_nrpe_service(self):
++        """Restart nagios-nrpe-server service."""
++        host.service_restart("nagios-nrpe-server")
++
++    def update_tls_certificates(self):
++        """Write the trusted ssl certificate to the CERT_FILE."""
++        if self._ssl_certificate:
++            cert_content = base64.b64decode(self._ssl_certificate).decode()
++            try:
++                logging.debug("Writing ssl ca cert to {}".format(self.ssl_cert_path))
++                with open(self.ssl_cert_path, "w") as f:
++                    f.write(cert_content)
++                subprocess.call(["/usr/sbin/update-ca-certificates"])
++                return True
++            except subprocess.CalledProcessError as e:
++                logging.error(e)
++                return False
++            except PermissionError as e:
++                logging.error(e)
++                return False
++        else:
++            logging.error("Trusted SSL Certificate is not defined")
++            return False
++
++    def configure(self):
++        """Refresh configuration data."""
++        self.update_plugins()
++        self.render_checks()
++
++    def update_plugins(self):
++        """Rsync plugins to the plugin directory."""
++        charm_plugin_dir = os.path.join(hookenv.charm_dir(), "files", "plugins/")
++        host.rsync(charm_plugin_dir, self.plugins_dir, options=["--executability"])
++
++    def render_checks(self):
++        """Render nrpe checks."""
++        nrpe = NRPE()
++        if not os.path.exists(self.plugins_dir):
++            os.makedirs(self.plugins_dir)
++
++        # register basic api health check
++        check_k8s_plugin = os.path.join(self.plugins_dir, "check_kubernetes_api.py")
++        for check in ["health"]:
++            check_command = "{} -H {} -P {} -T {} --check {}".format(
++                check_k8s_plugin,
++                self.kubernetes_api_address,
++                self.kubernetes_api_port,
++                self.kubernetes_client_token,
++                check,
++            ).strip()
++            if not self.use_tls_cert:
++                check_command += " -d"
++
++            nrpe.add_check(
++                shortname="k8s_api_{}".format(check),
++                description="Check Kubernetes API ({})".format(check),
++                check_cmd=check_command,
++            )
++
++        # register k8s host certificate expiration check
++        check_http_plugin = "/usr/lib/nagios/plugins/check_http"
++        check_command = "{} -I {} -p {} -C {},{}".format(
++            check_http_plugin,
++            self.kubernetes_api_address,
++            self.kubernetes_api_port,
++            self.config.get("tls_warn_days"),
++            self.config.get("tls_crit_days"),
++        ).strip()
++        nrpe.add_check(
++            shortname="k8s_api_cert_expiration",
++            description="Check Kubernetes API ({})".format(check),
++            check_cmd=check_command,
++        )
++        nrpe.write()
++
++    def install_kubectl(self):
++        """Attempt to install kubectl.
++
++        :returns: bool, indicating whether or not successful
++        """
++        # snap retry is excessive
++        snap.SNAP_NO_LOCK_RETRY_DELAY = 0.5
++        snap.SNAP_NO_LOCK_RETRY_COUNT = 3
++        try:
++            channel = self.config.get("channel")
++            snap.snap_install("kubectl", "--classic", "--channel={}".format(channel))
++            return True
++        except snap.CouldNotAcquireLockException:
++            return False
 diff --git a/lib/ops b/lib/ops
 new file mode 120000
 index 0000000..d934193
 --- /dev/null
 +++ b/lib/ops
@@ -0,0 +1 @@
++../mod/operator/ops
 \ No newline at end of file
 diff --git a/metadata.yaml b/metadata.yaml
 new file mode 100644
 index 0000000..09b26a5
 --- /dev/null
 +++ b/metadata.yaml
@@ -0,0 +1,26 @@
++name: kubernetes-service-checks
++summary: Kubernetes Services NRPE Checks
++maintainers:
++    - Bootstack Charmers <bootstack-charmers@lists.canonical.com>
++description: |
++    This charm provides NRPE Checks verifying Kubernetes API accessibility
++    and integrates with Nagios for timely alerting.
++tags:
++    - kubernetes
++    - ops
++    - monitoring
++series:
++    - focal
++    - bionic
++    - xenial
++requires:
++    kube-control:
++        interface: kube-control
++    kube-api-endpoint:
++        interface: http
++provides:
++    nrpe-external-master:
++        interface: nrpe-external-master
++        scope: container
++        optional: true
++subordinate: false
 diff --git a/mod/.empty b/mod/.empty
 new file mode 100644
 index 0000000..e69de29
 --- /dev/null
 +++ b/mod/.empty
 diff --git a/mod/charm-helpers b/mod/charm-helpers
 new file mode 160000
 index 0000000..4b3602e
 --- /dev/null
 +++ b/mod/charm-helpers
@@ -0,0 +1 @@
++Subproject commit 4b3602e2bdf101bf58cc808264ec0c8092a67cd0
 diff --git a/src/charm.py b/src/charm.py
 new file mode 100755
 index 0000000..1047fc4
 --- /dev/null
 +++ b/src/charm.py
@@ -0,0 +1,190 @@
++#! /usr/bin/env python3
++# -*- coding: utf-8 -*-
++# vim:fenc=utf-8
++# Copyright © 2020 Bootstack Charmers  bootstack-charmers@lists.canonical.com
++
++"""Operator Charm main library."""
++# Load modules from lib directory
++import logging
++
++import setuppath  # noqa:F401
++
++from lib_kubernetes_service_checks import KSCHelper  # noqa:I100
++from ops.charm import CharmBase
++from ops.framework import StoredState
++from ops.main import main
++from ops.model import ActiveStatus, BlockedStatus, MaintenanceStatus
++
++
++class KubernetesServiceChecksCharm(CharmBase):
++    """Class representing this Operator charm."""
++
++    state = StoredState()
++
++    def __init__(self, *args):
++        """Initialize charm and configure states and events to observe."""
++        super().__init__(*args)
++        # -- standard hook observation
++        self.framework.observe(self.on.install, self.on_install)
++        self.framework.observe(self.on.start, self.on_start)
++        self.framework.observe(self.on.config_changed, self.on_config_changed)
++        self.framework.observe(
++            self.on.kube_api_endpoint_relation_changed, self.on_kube_api_endpoint_relation_changed,
++        )
++        self.framework.observe(self.on.kube_api_endpoint_relation_departed, self.on_kube_api_endpoint_relation_departed)
++        self.framework.observe(
++            self.on.kube_control_relation_changed, self.on_kube_control_relation_changed,
++        )
++        self.framework.observe(self.on.kube_control_relation_departed, self.on_kube_control_relation_departed)
++        self.framework.observe(
++            self.on.nrpe_external_master_relation_joined, self.on_nrpe_external_master_relation_joined
++        )
++        self.framework.observe(
++            self.on.nrpe_external_master_relation_departed, self.on_nrpe_external_master_relation_departed
++        )
++        # -- initialize states --
++        self.state.set_default(
++            installed=False,
++            configured=False,
++            started=False,
++            kube_control={},
++            kube_api_endpoint={},
++            nrpe_configured=False,
++        )
++        self.helper = KSCHelper(self.model.config, self.state)
++
++    def on_install(self, event):
++        """Handle install state."""
++        self.unit.status = MaintenanceStatus("Install complete")
++        logging.info("Install of software complete")
++        self.state.installed = True
++
++    def on_upgrade_charm(self, event):
++        """Handle upgrade and resource updates."""
++        self.state.configured = False
++        logging.info("Reinstalling for upgrade-charm hook")
++        self.on_install(event)
++        self.check_charm_status()
++
++    def check_charm_status(self):
++        """
++        Check that required data is available from relations.
++
++        - Check kube-api-endpoint relation and data available
++        - Check kube-control relation and data available
++        - Check nrpe-external-master is configured
++        - Check any required config options
++        - Finally, configure the charms checks and set flags
++        """
++        if not self.helper.kubernetes_api_address or not self.helper.kubernetes_api_port:
++            logging.warning("kube-api-endpoint relation missing or misconfigured")
++            self.unit.status = BlockedStatus("missing kube-api-endpoint relation")
++            return
++        if not self.helper.kubernetes_client_token:
++            logging.warning("kube-control relation missing or misconfigured")
++            self.unit.status = BlockedStatus("missing kube-control relation")
++            return
++        if not self.state.nrpe_configured:
++            logging.warning("nrpe-external-master relation missing or misconfigured")
++            self.unit.status = BlockedStatus("missing nrpe-external-master relation")
++            return
++
++        if not self.state.configured:
++            # Check specific required config values
++            # Set up TLS Certificate
++            if self.helper.use_tls_cert:
++                logging.info("Updating tls certificates")
++                if self.helper.update_tls_certificates():
++                    logging.info("TLS Certificates updated successfully")
++                else:
++                    logging.error("Failed to update TLS Certificates")
++                    self.unit.status = BlockedStatus("update-ca-certificates error. check logs")
++                    return
++            else:
++                logging.warning("No trusted_ssl_ca provided, SSL Host Authentication disabled")
++
++            logging.info("Configuring Kubernetes Service Checks")
++            self.helper.configure()
++
++            logging.info("Reloading nagios-nrpe-server")
++            self.helper.restart_nrpe_service()
++            self.state.configured = True
++        self.unit.status = ActiveStatus("Unit is ready")
++
++    def on_config_changed(self, event):
++        """Handle config changed."""
++        self.state.configured = False
++        if not self.state.installed:
++            logging.warning("Config changed called before install complete, deferring event: {}.".format(event.handle))
++            self._defer_once(event)
++            return
++        self.check_charm_status()
++
++    def on_start(self, event):
++        """Handle start state."""
++        if not self.state.configured:
++            logging.warning("Start called before configuration complete, deferring event: {}".format(event.handle))
++            event.defer()
++            return
++        self.unit.status = ActiveStatus("Unit is ready")
++        self.state.started = True
++        logging.info("Started")
++
++    def _defer_once(self, event):
++        """Defer the given event, but only once."""
++        notice_count = 0
++        handle = str(event.handle)
++
++        for event_path, _, _ in self.framework._storage.notices(None):
++            if event_path.startswith(handle.split("[")[0]):
++                notice_count += 1
++                logging.debug("Found event: {} x {}".format(event_path, notice_count))
++
++        if notice_count > 1:
++            logging.debug("Not deferring {} notice count of {}".format(handle, notice_count))
++        else:
++            logging.debug("Deferring {} notice count of {}".format(handle, notice_count))
++            event.defer()
++
++    def on_kube_api_endpoint_relation_changed(self, event):
++        """Handle kube_api_endpoint relation changed."""
++        self.state.configured = False
++        self.unit.status = MaintenanceStatus("Updating K8S Endpoint")
++        self.state.kube_api_endpoint.update(event.relation.data.get(event.unit, {}))
++        self.check_charm_status()
++
++    def on_kube_api_endpoint_relation_departed(self, event):
++        """Handle kube-api-endpoint relation departed."""
++        self.state.configured = False
++        for k in self.state.kube_api_endpoint.keys():
++            self.state.kube_api_endpoint[k] = ""
++        self.check_charm_status()
++
++    def on_kube_control_relation_changed(self, event):
++        """Handle kube-control relation changed."""
++        self.state.configured = False
++        self.unit.status = MaintenanceStatus("Updating K8S Credentials")
++        self.state.kube_control.update(event.relation.data.get(event.unit, {}))
++        self.check_charm_status()
++
++    def on_kube_control_relation_departed(self, event):
++        """Handle kube-control relation departed."""
++        self.state.configured = False
++        for k in self.state.kube_control.keys():
++            self.state.kube_control[k] = ""
++        self.check_charm_status()
++
++    def on_nrpe_external_master_relation_joined(self, event):
++        """Handle nrpe-external-master relation joined."""
++        self.state.nrpe_configured = True
++        self.check_charm_status()
++
++    def on_nrpe_external_master_relation_departed(self, event):
++        """Handle nrpe-external-master relation departed."""
++        self.state.configured = False
++        self.state.nrpe_configured = False
++        self.check_charm_status()
++
++
++if __name__ == "__main__":
++    main(KubernetesServiceChecksCharm)
 diff --git a/src/setuppath.py b/src/setuppath.py
 new file mode 100644
 index 0000000..768e049
 --- /dev/null
 +++ b/src/setuppath.py
@@ -0,0 +1,4 @@
++"""Include ./lib in the charm's PATH."""
++import sys
++
++sys.path.append("lib")
 diff --git a/tests/functional/requirements.txt b/tests/functional/requirements.txt
 new file mode 100644
 index 0000000..b7c9112
 --- /dev/null
 +++ b/tests/functional/requirements.txt
@@ -0,0 +1 @@
++git+https://github.com/openstack-charmers/zaza.git#egg=zaza
 diff --git a/tests/functional/tests/bundles/bionic.yaml b/tests/functional/tests/bundles/bionic.yaml
 new file mode 100644
 index 0000000..c55ba41
 --- /dev/null
 +++ b/tests/functional/tests/bundles/bionic.yaml
@@ -0,0 +1,90 @@
++series: bionic
++applications:
++    kubernetes-service-checks:
++        charm: ../../../../
++        num_units: 1
++    containerd:
++        charm: cs:~containers/containerd
++        options:
++            gpu_driver: none
++        resources: {}
++    easyrsa:
++        charm: cs:~containers/easyrsa
++        num_units: 1
++        resources:
++          easyrsa: 5
++    etcd:
++        charm: cs:~containers/etcd
++        num_units: 1
++        options:
++          channel: 3.3/stable
++        resources:
++          core: 0
++          etcd: 3
++          snapshot: 0
++    flannel:
++        charm: cs:~containers/flannel
++        resources:
++          flannel-amd64: 625
++          flannel-arm64: 622
++          flannel-s390x: 609
++    kubernetes-master:
++        charm: cs:~containers/kubernetes-master
++        num_units: 1
++        constraints: cores=4 mem=4G root-disk=16G
++        options:
++          channel: 1.18/stable
++        resources:
++          cdk-addons: 0
++          core: 0
++          kube-apiserver: 0
++          kube-controller-manager: 0
++          kube-proxy: 0
++          kube-scheduler: 0
++          kubectl: 0
++    kubernetes-worker:
++        charm: cs:~containers/kubernetes-worker
++        expose: true
++        num_units: 1
++        constraints: cores=4 mem=4G root-disk=16G
++        options:
++            channel: 1.18/stable
++        resources:
++          cni-amd64: 645
++          cni-arm64: 636
++          cni-s390x: 648
++          core: 0
++          kube-proxy: 0
++          kubectl: 0
++          kubelet: 0
++    nrpe:
++        charm: cs:nrpe
++relations:
++    - - kubernetes-master:kube-api-endpoint
++      - kubernetes-worker:kube-api-endpoint
++    - - kubernetes-service-checks:nrpe-external-master
++      - nrpe:nrpe-external-master
++    - - kubernetes-master:kube-control
++      - kubernetes-worker:kube-control
++    - - kubernetes-master:certificates
++      - easyrsa:client
++    - - etcd:certificates
++      - easyrsa:client
++    - - kubernetes-master:etcd
++      - etcd:db
++    - - kubernetes-worker:certificates
++      - easyrsa:client
++    - - flannel:etcd
++      - etcd:db
++    - - flannel:cni
++      - kubernetes-master:cni
++    - - flannel:cni
++      - kubernetes-worker:cni
++    - - containerd:containerd
++      - kubernetes-worker:container-runtime
++    - - containerd:containerd
++      - kubernetes-master:container-runtime
++    - - kubernetes-service-checks:kube-control
++      - kubernetes-master:kube-control
++    - - kubernetes-service-checks:kube-api-endpoint
++      - kubernetes-master:kube-api-endpoint
 \ No newline at end of file
 diff --git a/tests/functional/tests/bundles/focal.yaml b/tests/functional/tests/bundles/focal.yaml
 new file mode 100644
 index 0000000..31888a0
 --- /dev/null
 +++ b/tests/functional/tests/bundles/focal.yaml
@@ -0,0 +1,90 @@
++series: focal
++applications:
++    kubernetes-service-checks:
++        charm: ../../../../
++        num_units: 1
++    containerd:
++        charm: cs:~containers/containerd
++        options:
++            gpu_driver: none
++        resources: {}
++    easyrsa:
++        charm: cs:~containers/easyrsa
++        num_units: 1
++        resources:
++          easyrsa: 5
++    etcd:
++        charm: cs:~containers/etcd
++        num_units: 1
++        options:
++          channel: 3.3/stable
++        resources:
++          core: 0
++          etcd: 3
++          snapshot: 0
++    flannel:
++        charm: cs:~containers/flannel
++        resources:
++          flannel-amd64: 625
++          flannel-arm64: 622
++          flannel-s390x: 609
++    kubernetes-master:
++        charm: cs:~containers/kubernetes-master
++        num_units: 1
++        constraints: cores=4 mem=4G root-disk=16G
++        options:
++          channel: 1.18/stable
++        resources:
++          cdk-addons: 0
++          core: 0
++          kube-apiserver: 0
++          kube-controller-manager: 0
++          kube-proxy: 0
++          kube-scheduler: 0
++          kubectl: 0
++    kubernetes-worker:
++        charm: cs:~containers/kubernetes-worker
++        expose: true
++        num_units: 1
++        constraints: cores=4 mem=4G root-disk=16G
++        options:
++            channel: 1.18/stable
++        resources:
++          cni-amd64: 645
++          cni-arm64: 636
++          cni-s390x: 648
++          core: 0
++          kube-proxy: 0
++          kubectl: 0
++          kubelet: 0
++    nrpe:
++        charm: cs:nrpe
++relations:
++    - - kubernetes-master:kube-api-endpoint
++      - kubernetes-worker:kube-api-endpoint
++    - - kubernetes-service-checks:nrpe-external-master
++      - nrpe:nrpe-external-master
++    - - kubernetes-master:kube-control
++      - kubernetes-worker:kube-control
++    - - kubernetes-master:certificates
++      - easyrsa:client
++    - - etcd:certificates
++      - easyrsa:client
++    - - kubernetes-master:etcd
++      - etcd:db
++    - - kubernetes-worker:certificates
++      - easyrsa:client
++    - - flannel:etcd
++      - etcd:db
++    - - flannel:cni
++      - kubernetes-master:cni
++    - - flannel:cni
++      - kubernetes-worker:cni
++    - - containerd:containerd
++      - kubernetes-worker:container-runtime
++    - - containerd:containerd
++      - kubernetes-master:container-runtime
++    - - kubernetes-service-checks:kube-control
++      - kubernetes-master:kube-control
++    - - kubernetes-service-checks:kube-api-endpoint
++      - kubernetes-master:kube-api-endpoint
 diff --git a/tests/functional/tests/bundles/xenial.yaml b/tests/functional/tests/bundles/xenial.yaml
 new file mode 100644
 index 0000000..962bdfd
 --- /dev/null
 +++ b/tests/functional/tests/bundles/xenial.yaml
@@ -0,0 +1,90 @@
++series: xenial
++applications:
++    kubernetes-service-checks:
++        charm: ../../../../
++        num_units: 1
++    containerd:
++        charm: cs:~containers/containerd
++        options:
++            gpu_driver: none
++        resources: {}
++    easyrsa:
++        charm: cs:~containers/easyrsa
++        num_units: 1
++        resources:
++          easyrsa: 5
++    etcd:
++        charm: cs:~containers/etcd
++        num_units: 1
++        options:
++          channel: 3.3/stable
++        resources:
++          core: 0
++          etcd: 3
++          snapshot: 0
++    flannel:
++        charm: cs:~containers/flannel
++        resources:
++          flannel-amd64: 625
++          flannel-arm64: 622
++          flannel-s390x: 609
++    kubernetes-master:
++        charm: cs:~containers/kubernetes-master
++        num_units: 1
++        constraints: cores=4 mem=4G root-disk=16G
++        options:
++          channel: 1.18/stable
++        resources:
++          cdk-addons: 0
++          core: 0
++          kube-apiserver: 0
++          kube-controller-manager: 0
++          kube-proxy: 0
++          kube-scheduler: 0
++          kubectl: 0
++    kubernetes-worker:
++        charm: cs:~containers/kubernetes-worker
++        expose: true
++        num_units: 1
++        constraints: cores=4 mem=4G root-disk=16G
++        options:
++            channel: 1.18/stable
++        resources:
++          cni-amd64: 645
++          cni-arm64: 636
++          cni-s390x: 648
++          core: 0
++          kube-proxy: 0
++          kubectl: 0
++          kubelet: 0
++    nrpe:
++        charm: cs:nrpe
++relations:
++    - - kubernetes-master:kube-api-endpoint
++      - kubernetes-worker:kube-api-endpoint
++    - - kubernetes-service-checks:nrpe-external-master
++      - nrpe:nrpe-external-master
++    - - kubernetes-master:kube-control
++      - kubernetes-worker:kube-control
++    - - kubernetes-master:certificates
++      - easyrsa:client
++    - - etcd:certificates
++      - easyrsa:client
++    - - kubernetes-master:etcd
++      - etcd:db
++    - - kubernetes-worker:certificates
++      - easyrsa:client
++    - - flannel:etcd
++      - etcd:db
++    - - flannel:cni
++      - kubernetes-master:cni
++    - - flannel:cni
++      - kubernetes-worker:cni
++    - - containerd:containerd
++      - kubernetes-worker:container-runtime
++    - - containerd:containerd
++      - kubernetes-master:container-runtime
++    - - kubernetes-service-checks:kube-control
++      - kubernetes-master:kube-control
++    - - kubernetes-service-checks:kube-api-endpoint
++      - kubernetes-master:kube-api-endpoint
 diff --git a/tests/functional/tests/kubernetes_service_checks.py b/tests/functional/tests/kubernetes_service_checks.py
 new file mode 100644
 index 0000000..e1520f3
 --- /dev/null
 +++ b/tests/functional/tests/kubernetes_service_checks.py
@@ -0,0 +1,162 @@
++"""Charm Kubernetes Service Checks Functional Tests."""
++import concurrent.futures
++import logging
++import re
++import time
++import unittest
++
++from juju.errors import JujuAPIError
++import zaza.model
++
++
++class TestBase(unittest.TestCase):
++    """Base Class for charm functional tests."""
++
++    @classmethod
++    def setUpClass(cls):
++        """Run setup for tests."""
++        cls.model_name = zaza.model.get_juju_model()
++        cls.application_name = "kubernetes-service-checks"
++
++    def setUp(self):
++        """Set up  functional tests & ensure all relations added."""
++        for local_relation_name, remote_relation_unit in [
++            ("kube-api-endpoint", "kubernetes-master"),
++            ("kube-control", "kubernetes-master"),
++            ("nrpe-external-master", "nrpe"),
++        ]:
++            logging.info("Adding relation {} with {}".format(local_relation_name, remote_relation_unit))
++            try:
++                zaza.model.add_relation(
++                    self.application_name, local_relation_name, remote_relation_unit, self.model_name
++                )
++            except JujuAPIError as e:
++                p = r"^.*cannot\ add\ relation.*already\ exists"
++                if re.search(p, e.message):
++                    pass
++                else:
++                    raise (e)
++        zaza.model.block_until_wl_status_info_starts_with(self.application_name, status="Unit is ready", timeout=200)
++
++
++class TestChecks(TestBase):
++    """Tests for availability and usefulness of nagios checks."""
++
++    expected_checks = ["check_k8s_api_health.cfg", "check_k8s_api_cert_expiration.cfg"]
++    checks_dir = "/etc/nagios/nrpe.d/"
++    expected_plugins = ["check_kubernetes_api.py"]
++    plugins_dir = "/usr/local/lib/nagios/plugins/"
++
++    # TODO: Need testing around setting the trusted_ssl_ca cert
++    #    - does it get written to /etc/ssl/certs/ca-certificates.crt?
++    #    - does the k8s check plugin see it and use it for verification?
++
++    def test_check_plugins_exist(self):
++        """Verify that kubernetes service checks plugins are found."""
++        fail_messages = []
++        for plugin in self.expected_plugins:
++            pluginpath = self.plugins_dir + plugin
++            response = zaza.model.run_on_unit(
++                "kubernetes-service-checks/0", '[ -f "{}" ]'.format(pluginpath), model_name=self.model_name, timeout=30
++            )
++            if response["Code"] != "0":
++                fail_messages.append("Missing plugin: {}".format(pluginpath))
++                continue
++
++            # check executable
++            response = zaza.model.run_on_unit(
++                "kubernetes-service-checks/0", '[ -x "{}" ]'.format(pluginpath), model_name=self.model_name, timeout=30
++            )
++
++            if response["Code"] != "0":
++                fail_messages.append("Plugin not executable: {}".format(pluginpath))
++
++        if fail_messages:
++            self.fail("\n".join(fail_messages))
++
++    def test_checks_exist(self):
++        """Verify that kubernetes service checks nrpe checks exist."""
++        fail_messages = []
++        for check in self.expected_checks:
++            checkpath = self.checks_dir + check
++            response = zaza.model.run_on_unit(
++                "kubernetes-service-checks/0", '[ -f "{}" ]'.format(checkpath), model_name=self.model_name, timeout=30
++            )
++            if response["Code"] != "0":
++                fail_messages.append("Missing check: {}".format(checkpath))
++        if fail_messages:
++            self.fail("\n".join(fail_messages))
++
++
++class TestRelations(TestBase):
++    """Tests for charm behavior adding and removing relations."""
++
++    def _get_relation_id(self, remote_application, interface_name):
++        return zaza.model.get_relation_id(
++            self.application_name, remote_application, model_name=self.model_name, remote_interface_name=interface_name
++        )
++
++    def test_remove_kube_api_endpoint(self):
++        """Test removing kube-api-endpoint relation."""
++        rel_name = "kube-api-endpoint"
++        remote_app = "kubernetes-master"
++        logging.info("Removing kube-api-endpoint relation")
++
++        zaza.model.remove_relation(self.application_name, rel_name, remote_app, self.model_name)
++        try:
++            zaza.model.block_until_wl_status_info_starts_with(
++                self.application_name, status="missing kube-api-endpoint relation", timeout=180
++            )
++        except concurrent.futures._base.TimeoutError:
++            self.fail("Timed out waiting for Unit to become blocked")
++
++        logging.info("Waiting for relation {} to be destroyed".format(rel_name))
++        timeout = time.time() + 600
++        while self._get_relation_id(remote_app, rel_name) is not None:
++            time.sleep(5)
++            if time.time() > timeout:
++                self.fail("Timed out waiting for the relation {} to be destroyed".format(rel_name))
++
++    def test_remove_kube_control(self):
++        """Test removing kube-control relation."""
++        rel_name = "kube-control"
++        remote_app = "kubernetes-master"
++        logging.info("Removing kube-control relation")
++
++        zaza.model.remove_relation(self.application_name, rel_name, remote_app, self.model_name)
++
++        try:
++            zaza.model.block_until_wl_status_info_starts_with(
++                self.application_name, status="missing kube-control relation", timeout=180
++            )
++        except concurrent.futures._base.TimeoutError:
++            self.fail("Timed out waiting for Unit to become blocked")
++
++        logging.info("Waiting for relation {} to be destroyed".format(rel_name))
++        timeout = time.time() + 600
++        while self._get_relation_id(remote_app, rel_name) is not None:
++            time.sleep(5)
++            if time.time() > timeout:
++                self.fail("Timed out waiting for the relation {} to be destroyed".format(rel_name))
++
++    def test_remove_nrpe_external_master(self):
++        """Test removing nrpe-external-master relation."""
++        rel_name = "nrpe-external-master"
++        remote_app = "nrpe"
++        logging.info("Removing nrpe-external-master relation")
++
++        zaza.model.remove_relation(self.application_name, rel_name, remote_app, self.model_name)
++
++        try:
++            zaza.model.block_until_wl_status_info_starts_with(
++                self.application_name, status="missing nrpe-external-master relation", timeout=180
++            )
++        except concurrent.futures._base.TimeoutError:
++            self.fail("Timed out waiting for Unit to become blocked")
++
++        logging.info("Waiting for relation {} to be destroyed".format(rel_name))
++        timeout = time.time() + 600
++        while self._get_relation_id(remote_app, rel_name) is not None:
++            time.sleep(5)
++            if time.time() > timeout:
++                self.fail("Timed out waiting for the relation {} to be destroyed".format(rel_name))
 diff --git a/tests/functional/tests/tests.yaml b/tests/functional/tests/tests.yaml
 new file mode 100644
 index 0000000..75a9ce8
 --- /dev/null
 +++ b/tests/functional/tests/tests.yaml
@@ -0,0 +1,33 @@
++tests:
++    - tests.kubernetes_service_checks.TestChecks
++    - tests.kubernetes_service_checks.TestRelations
++target_deploy_status:
++    kubernetes-service-checks:
++        workload-status: blocked
++        workload-status-message: "missing kube-api-endpoint relation"
++    kubernetes-master:
++        workload-status: active
++        workload-status-message: "Kubernetes master running."
++    kubernetes-worker:
++        workload-status: active
++        workload-status-message: "Kubernetes worker running."
++    flannel:
++        workload-status: active
++        workload-status-message: "Flannel subnet"
++    easyrsa:
++        workload-status: active
++        workload-status-message: "Certificate Authority connected."
++    containerd:
++        workload-status: active
++        workload-status-message: "Container runtime available"
++    etcd:
++        workload-status: active
++        workload-status-message: "Healthy with 1 known peer"
++    nrpe:
++        workload-status: active
++        workload-status-message: "ready"
++gate_bundles:
++    - xenial
++    - bionic
++smoke_bundles:
++    - focal
 diff --git a/tests/unit/requirements.txt b/tests/unit/requirements.txt
 new file mode 100644
 index 0000000..b5f9fbd
 --- /dev/null
 +++ b/tests/unit/requirements.txt
@@ -0,0 +1,5 @@
++mock
++pyyaml
++coverage
++six
++urllib3
 diff --git a/tests/unit/setuppath.py b/tests/unit/setuppath.py
 new file mode 100644
 index 0000000..c3404e5
 --- /dev/null
 +++ b/tests/unit/setuppath.py
@@ -0,0 +1,6 @@
++"""Include ./lib ./src and ./file/plugins in the tests' PATH."""
++import sys
++
++sys.path.append("lib")
++sys.path.append("src")
++sys.path.append("files/plugins")
 diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
 new file mode 100644
 index 0000000..24f83f5
 --- /dev/null
 +++ b/tests/unit/test_charm.py
@@ -0,0 +1,243 @@
++"""Charm unit tests."""
++import os
++from pathlib import Path
++import unittest
++
++
++import mock
++import yaml
++
++# include ./lib in the charm's PATH
++import setuppath  # noqa:F401
++
++from charm import KubernetesServiceChecksCharm  # noqa:I100
++import ops.main
++from ops.testing import Harness
++
++TEST_KUBE_CONTOL_RELATION_DATA = {
++    "creds": """{"system:node:juju-62684f-0":
++                                      {"client_token": "DECAFBADBEEF",
++                                       "kubelet_token": "ABCDEF012345",
++                                       "proxy_token": "BADC0FFEEDAD",
++                                       "scope": "kubernetes-worker/0"}
++                                   }"""  # noqa:E127
++}
++TEST_KUBE_API_ENDPOINT_RELATION_DATA = {"hostname": "1.1.1.1", "port": "1111"}
++
++
++class TestKubernetesServiceChecksCharm(unittest.TestCase):
++    """Test Kubernetes Service Checks Charm Code."""
++
++    @classmethod
++    def setUpClass(cls):
++        """Prepare class fixture."""
++        # Stop unit test from calling fchown
++        fchown_patcher = mock.patch("os.fchown")
++        cls.mock_fchown = fchown_patcher.start()
++        chown_patcher = mock.patch("os.chown")
++        cls.mock_chown = chown_patcher.start()
++
++        # Stop charmhelpers host from logging via debug log
++        host_log_patcher = mock.patch("charmhelpers.core.host.log")
++        cls.mock_juju_log = host_log_patcher.start()
++
++        # Stop charmhelpers snap from logging via debug log
++        snap_log_patcher = mock.patch("charmhelpers.fetch.snap.log")
++        cls.mock_snap_log = snap_log_patcher.start()
++
++        charm_logger_patcher = mock.patch("charm.logging")
++        cls.mock_charm_log = charm_logger_patcher.start()
++
++        lib_logger_patcher = mock.patch("lib.lib_kubernetes_service_checks.logging")
++        cls.mock_lib_logger = lib_logger_patcher.start()
++
++        # Prevent charmhelpers from calling systemctl
++        host_service_patcher = mock.patch("charmhelpers.core.host.service_stop")
++        cls.mock_service_stop = host_service_patcher.start()
++        host_service_patcher = mock.patch("charmhelpers.core.host.service_start")
++        cls.mock_service_start = host_service_patcher.start()
++        host_service_patcher = mock.patch("charmhelpers.core.host.service_restart")
++        cls.mock_service_restart = host_service_patcher.start()
++
++        # Setup mock JUJU Environment variables
++        os.environ["JUJU_UNIT_NAME"] = "mock/0"
++        os.environ["JUJU_CHARM_DIR"] = "."
++
++    def setUp(self):
++        """Prepare tests."""
++        self.harness = Harness(KubernetesServiceChecksCharm)
++        # Mock config_get to return default config
++        with open(ops.main._get_charm_dir() / Path("config.yaml"), "r") as config_file:
++            config = yaml.safe_load(config_file)
++        charm_config = {}
++
++        for key, _ in config["options"].items():
++            charm_config[key] = config["options"][key]["default"]
++
++        self.harness._backend._config = charm_config
++
++    def test_harness(self):
++        """Verify harness."""
++        self.harness.begin()
++        self.assertFalse(self.harness.charm.state.installed)
++
++    @mock.patch("charmhelpers.fetch.snap.subprocess.check_call")
++    def test_install(self, mock_snap_subprocess):
++        """Test response to an install event."""
++        mock_snap_subprocess.return_value = 0
++        mock_snap_subprocess.side_effect = None
++
++        self.harness.begin()
++        self.harness.charm.on.install.emit()
++
++        self.assertEqual(self.harness.charm.unit.status.name, "maintenance")
++        self.assertEqual(self.harness.charm.unit.status.message, "Install complete")
++        self.assertTrue(self.harness.charm.state.installed)
++
++    def test_config_changed(self):
++        """Test response to config changed event."""
++        self.harness.set_leader(True)
++        self.harness.populate_oci_resources()
++        self.harness.begin()
++        self.harness.charm.check_charm_status = mock.MagicMock()
++        self.harness.charm.state.installed = True
++        self.harness.charm.on.config_changed.emit()
++        self.harness.charm.check_charm_status.assert_called_once()
++
++    def test_start_not_installed(self):
++        """Test response to start event without install state."""
++        self.harness.begin()
++        self.harness.charm.on.start.emit()
++        self.assertFalse(self.harness.charm.state.started)
++
++    def test_start_not_configured(self):
++        """Test response to start event without configured state."""
++        self.harness.begin()
++        self.harness.charm.state.installed = True
++        self.harness.charm.on.start.emit()
++        self.assertFalse(self.harness.charm.state.started)
++
++    def test_start(self):
++        """Test response to start event."""
++        self.harness.begin()
++        self.harness.charm.state.installed = True
++        self.harness.charm.state.configured = True
++        self.harness.charm.on.start.emit()
++        self.assertTrue(self.harness.charm.state.started)
++        self.assertEqual(self.harness.charm.unit.status.name, "active")
++
++    def test_on_kube_api_endpoint_relation_changed(self):
++        """Check kube-api-endpoint relation changed handling."""
++        relation_id = self.harness.add_relation("kube-api-endpoint", "kubernetes-master")
++        remote_unit = "kubernetes-master/0"
++        self.harness.begin()
++        self.harness.charm.check_charm_status = mock.MagicMock()
++        self.harness.add_relation_unit(relation_id, remote_unit)
++        self.harness.update_relation_data(relation_id, remote_unit, TEST_KUBE_API_ENDPOINT_RELATION_DATA)
++
++        self.harness.charm.check_charm_status.assert_called_once()
++        self.assertEqual(self.harness.charm.helper.kubernetes_api_address, "1.1.1.1")
++        self.assertEqual(self.harness.charm.helper.kubernetes_api_port, "1111")
++
++    def test_on_kube_control_relation_changed(self):
++        """Check kube-control relation changed handling."""
++        relation_id = self.harness.add_relation("kube-control", "kubernetes-master")
++        remote_unit = "kubernetes-master/0"
++        self.harness.begin()
++        self.harness.charm.check_charm_status = mock.MagicMock()
++        self.harness.add_relation_unit(relation_id, remote_unit)
++        self.harness.update_relation_data(relation_id, remote_unit, TEST_KUBE_CONTOL_RELATION_DATA)
++
++        self.harness.charm.check_charm_status.assert_called_once()
++        assert self.harness.charm.helper.kubernetes_client_token == "DECAFBADBEEF"
++
++    def test_nrpe_external_master_relation_joined(self):
++        """Check that nrpe.configure is True after nrpe relation joined."""
++        relation_id = self.harness.add_relation("nrpe-external-master", "nrpe")
++        remote_unit = "nrpe/0"
++        self.harness.begin()
++        self.assertFalse(self.harness.charm.state.nrpe_configured)
++        self.harness.charm.check_charm_status = mock.MagicMock()
++        self.harness.add_relation_unit(relation_id, remote_unit)
++
++        self.harness.charm.check_charm_status.assert_called_once()
++        self.assertTrue(self.harness.charm.state.nrpe_configured)
++
++    @mock.patch("ops.model.RelationData")
++    def test_nrpe_external_master_relation_departed(self, mock_relation_data):
++        """Check that nrpe.configure is False after nrpe relation departed."""
++        mock_relation_data.return_value.__getitem__.return_value = {}
++        self.harness.begin()
++        self.harness.charm.check_charm_status = mock.MagicMock()
++        self.emit("nrpe_external_master_relation_departed")
++        self.harness.charm.check_charm_status.assert_called_once()
++
++        self.assertFalse(self.harness.charm.state.nrpe_configured)
++
++    def test_check_charm_status_kube_api_endpoint_relation_missing(self):
++        """Check that the chatm blocks without kube-api-endpoint relation."""
++        self.harness.begin()
++        self.harness.charm.state.kube_control.update(TEST_KUBE_CONTOL_RELATION_DATA)
++        self.harness.charm.state.nrpe_configured = True
++        self.harness.charm.check_charm_status()
++
++        self.assertFalse(self.harness.charm.state.configured)
++        self.assertEqual(self.harness.charm.unit.status.name, "blocked")
++        self.assertEqual(self.harness.charm.unit.status.message, "missing kube-api-endpoint relation")
++
++    def test_check_charm_status_kube_control_relation_missing(self):
++        """Check that the charm blocks without kube-control relation."""
++        self.harness.begin()
++        self.harness.charm.state.kube_api_endpoint.update(TEST_KUBE_API_ENDPOINT_RELATION_DATA)
++        self.harness.charm.state.nrpe_configured = True
++        self.harness.charm.check_charm_status()
++
++        self.assertFalse(self.harness.charm.state.configured)
++        self.assertEqual(self.harness.charm.unit.status.name, "blocked")
++        self.assertEqual(self.harness.charm.unit.status.message, "missing kube-control relation")
++
++    def test_check_charm_status_nrpe_relation_missing(self):
++        """Check that the charm bloack without nrpe relation."""
++        self.harness.begin()
++        self.harness.charm.state.kube_control.update(TEST_KUBE_CONTOL_RELATION_DATA)
++        self.harness.charm.state.kube_api_endpoint.update(TEST_KUBE_API_ENDPOINT_RELATION_DATA)
++        self.harness.charm.check_charm_status()
++
++        self.assertFalse(self.harness.charm.state.configured)
++        self.assertEqual(self.harness.charm.unit.status.name, "blocked")
++        self.assertEqual(self.harness.charm.unit.status.message, "missing nrpe-external-master relation")
++
++    def test_check_charm_status_configured(self):
++        """Check the charm becomes configured."""
++        self.harness.begin()
++        self.harness.charm.helper.configure = mock.MagicMock()
++        self.harness.charm.state.kube_control.update(TEST_KUBE_CONTOL_RELATION_DATA)
++        self.harness.charm.state.kube_api_endpoint.update(TEST_KUBE_API_ENDPOINT_RELATION_DATA)
++        self.harness.charm.state.nrpe_configured = True
++        self.harness.charm.check_charm_status()
++
++        self.harness.charm.helper.configure.assert_called_once()
++        self.assertTrue(self.harness.charm.state.configured)
++
++    def emit(self, event):
++        """Emit the named hook on the charm."""
++        self.harness.charm.framework.reemit()
++
++        if "_relation_" in event:
++            relation_name = event.split("_relation")[0].replace("_", "-")
++            with mock.patch.dict(
++                "os.environ",
++                {
++                    "JUJU_RELATION": relation_name,
++                    "JUJU_RELATION_ID": "1",
++                    "JUJU_REMOTE_APP": "mock",
++                    "JUJU_REMOTE_UNIT": "mock/0",
++                },
++            ):
++                ops.main._emit_charm_event(self.harness.charm, event)
++        else:
++            ops.main._emit_charm_event(self.harness.charm, event)
++
++
++if __name__ == "__main__":
++    unittest.main()
 diff --git a/tests/unit/test_lib_ksc.py b/tests/unit/test_lib_ksc.py
 new file mode 100644
 index 0000000..94f67bc
 --- /dev/null
 +++ b/tests/unit/test_lib_ksc.py
@@ -0,0 +1,164 @@
++"""Tests for Kubernetes Service Checks Helper."""
++import base64
++import os
++import subprocess
++from subprocess import CalledProcessError
++import tempfile
++import unittest
++
++from lib import lib_kubernetes_service_checks
++import mock
++import yaml
++
++
++TEST_CERTIFICATE = """-----BEGIN CERTIFICATE-----
++MIIDOzCCAiOgAwIBAgIJAPoOXrIwH+miMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
++BAMMDTEwLjEzMi4yNTEuNjAwHhcNMjAwNzE3MTMzMzI0WhcNMzAwNzE1MTMzMzI0
++WjAYMRYwFAYDVQQDDA0xMC4xMzIuMjUxLjYwMIIBIjANBgkqhkiG9w0BAQEFAAOC
++AQ8AMIIBCgKCAQEAqpYVlmT/eRBhCKHaqXjY6EAzvx5GZY0PhL/YGBl9uF8YQGEF
++F3k3Ec7pyJMIQblmWxdCPd1uNzHU8mwApiuPG9GtYOK+olqgslLsmOU9LTi6KJWX
++x956VxdefXDYvr0B6K/Hdgkb1x//XwvipSV1fZ1MCDIiP/hWKi4CmEq31sVpCBdp
++Uiz3qdCzsiGt0f4kbgIJSVtxhWlNJ5MaCOm7gXafkF8OIUTmWhmPp2gH7pfPzzl1
++glOX2Z41qwPuz7Jbcxx/z/yGjdPeJTQYoqJfpDpCrT2er5xyRf66HqKx9Ld/FiqM
++ZksRwmzF9WvqCBK8WoRmnvFxk1FZPGt6E5gotwIDAQABo4GHMIGEMB0GA1UdDgQW
++BBSUCCmRxb4tKD6w8jZ3hHs4ciFizDBIBgNVHSMEQTA/gBSUCCmRxb4tKD6w8jZ3
++hHs4ciFizKEcpBowGDEWMBQGA1UEAwwNMTAuMTMyLjI1MS42MIIJAPoOXrIwH+mi
++MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBv
++BYwILWI/4dGczqG0hcqt8tW04Oi+7y0HxzeI/oaUq/HKfvCz5a+WhpykMKRDJoaZ
++aejR2Oc7A0OUnenpvMeIiMcUIetM3Q1Gzx0aU+vqUNNaZlooSSbe3z1VK6bUsYDo
++qdKhs+mSyuEticK2SEWjT+ZWpV1rjSd5zRZ/UvC1ZhDNJGZotIIqryQWd3YfYl9l
++7JrdzUVCbxs4ywxNp9/I+MJEiBfMHQx8FWr1M2HvLDAm6NZLfM68y5FClzfGpopV
++0ARirz1AfbS6xUumyXHOH2qH527PUXFdfYGSn+juDG/dRTENYJ3OPAfWdj4ze1qQ
++n3ajLSYPvdyKaztdB1VL
++-----END CERTIFICATE-----"""
++
++
++class TestLibKSCHelper(unittest.TestCase):
++    """Unittest class for Kubernetes Service Checks Helper."""
++
++    @classmethod
++    def setUpClass(cls):
++        """Prepare Class Fixture."""
++        # Load default config
++        with open("./config.yaml") as default_config:
++            cls.config = yaml.safe_load(default_config)
++
++        # set defaults to the config object
++        for key in cls.config["options"]:
++            if "default" in cls.config["options"][key]:
++                cls.config[key] = cls.config["options"][key]["default"]
++
++        # Create test state object
++        class FakeStateObject(object):
++            kube_api_endpoint = {"hostname": "1.1.1.1", "port": "1111"}
++            kube_control = {"creds": """{"kube-client": {"client_token": "abcdef0123456789"}}"""}
++            installed = False
++            configured = False
++            started = False
++            nrpe_configured = False
++
++        cls.state = FakeStateObject()
++
++        # Stop unit test from calling fchown
++        fchown_patcher = mock.patch("os.fchown")
++        cls.mock_fchown = fchown_patcher.start()
++        chown_patcher = mock.patch("os.chown")
++        cls.mock_chown = chown_patcher.start()
++
++        # Stop charmhelpers host from logging via debug log
++        host_log_patcher = mock.patch("charmhelpers.core.host.log")
++        cls.mock_juju_log = host_log_patcher.start()
++
++        host_logger_patcher = mock.patch("lib.lib_kubernetes_service_checks.logging")
++        cls.mock_logger = host_logger_patcher.start()
++
++        # Stop charmhelpers snap from logging via debug log
++        snap_log_patcher = mock.patch("charmhelpers.fetch.snap.log")
++        cls.mock_snap_log = snap_log_patcher.start()
++
++        # Setup a tmpdir
++        cls.tmpdir = tempfile.TemporaryDirectory()
++        cls.cert_path = os.path.join(cls.tmpdir.name, "kubernetes-service-checks.crt")
++
++        lib_kubernetes_service_checks.CERT_FILE = cls.cert_path
++        lib_kubernetes_service_checks.NAGIOS_PLUGINS_DIR = cls.tmpdir.name
++
++    @classmethod
++    def tearDownClass(cls):
++        """Tear down class fixture."""
++        mock.patch.stopall()
++        cls.tmpdir.cleanup()
++
++    def setUp(self):
++        """Prepare test fixture."""
++        self.helper = lib_kubernetes_service_checks.KSCHelper(self.config, self.state)
++
++    def tearDown(self):
++        """Clean up test fixture."""
++        try:
++            os.remove(self.cert_path)
++        except FileNotFoundError:
++            pass
++
++    def test_kube_api_endpoint_properties(self):
++        """Test that hostname and port properties get passed through."""
++        # kube_api_endpoint (relation) -> hostname & port
++        self.assertEqual(self.helper.kubernetes_api_address, "1.1.1.1")
++        self.assertEqual(self.helper.kubernetes_api_port, "1111")
++
++        self.helper.state.kube_api_endpoint = {}
++        self.assertEqual(self.helper.kubernetes_api_address, None)
++        self.assertEqual(self.helper.kubernetes_api_port, None)
++
++    def test_kube_control_endpoint_properties(self):
++        """Test KSCHelper client_token gets passed though."""
++        # kube-control (relation) -> kube client token
++        self.assertEqual(self.helper.kubernetes_client_token, "abcdef0123456789")
++
++        self.helper.state.kube_control = {}
++        self.assertEqual(self.helper.kubernetes_client_token, None)
++
++    @mock.patch("lib.lib_kubernetes_service_checks.subprocess.call")
++    def test_update_tls_certificates(self, mock_subprocess):
++        """Test that SSL certificates get updated."""
++        # returns False when no available trusted_ssl_cert
++        self.assertFalse(self.helper.update_tls_certificates())
++
++        # returns True when subprocess successful
++        self.helper.config["trusted_ssl_ca"] = base64.b64encode(str.encode(TEST_CERTIFICATE))
++        self.assertTrue(self.helper.update_tls_certificates())
++        with open(self.cert_path, "r") as f:
++            self.assertEqual(f.read(), TEST_CERTIFICATE)
++        mock_subprocess.assert_called_once_with(["/usr/sbin/update-ca-certificates"])
++        mock_subprocess.reset_mock()
++
++        # returns false when subprocess hits an exception
++        mock_subprocess.side_effect = CalledProcessError("Command", "Mock Subprocess Call Error")
++        self.assertFalse(self.helper.update_tls_certificates())
++
++    def test_render_checks(self):
++        """Test that NPRE is called to add KSC checks."""
++        # TODO
++        pass
++
++    @mock.patch("charmhelpers.fetch.snap.subprocess.check_call")
++    def test_install_kubectl(self, mock_snap_subprocess):
++        """Test install kubectl snap helper function."""
++        self.assertTrue(self.helper.install_kubectl())
++        channel = self.config.get("channel")
++        mock_snap_subprocess.assert_called_with(
++            ["snap", "install", "--classic", "--channel={}".format(channel), "kubectl"], env=os.environ
++        )
++
++    @mock.patch("charmhelpers.fetch.snap.subprocess.check_call")
++    def test_install_snap_failure(self, mock_snap_subprocess):
++        """Test response to a failed install event."""
++        error = subprocess.CalledProcessError("cmd", "Install failed")
++        error.returncode = 1
++        mock_snap_subprocess.return_value = 1
++        mock_snap_subprocess.side_effect = error
++        self.assertFalse(self.helper.install_kubectl())
++
++
++if __name__ == "__main__":
++    unittest.main()
 diff --git a/tests/unit/test_plugins.py b/tests/unit/test_plugins.py
 new file mode 100644
 index 0000000..42d1697
 --- /dev/null
 +++ b/tests/unit/test_plugins.py
@@ -0,0 +1,65 @@
++"""Unit tests for Kubernetes Service Checks NRPE Plugins."""
++import unittest
++
++import check_kubernetes_api
++import mock
++
++
++class TestKSCPlugins(unittest.TestCase):
++    """Test cases for Kubernetes Service Checks NRPE plugins."""
++
++    @mock.patch("check_kubernetes_api.sys.exit")
++    @mock.patch("check_kubernetes_api.print")
++    def test_nagios_exit(self, mock_print, mock_sys_exit):
++        """Test the nagios_exit function."""
++        msg = "Test message"
++        for code, status in check_kubernetes_api.NAGIOS_STATUS.items():
++            expected_output = "{}: {}".format(status, msg)
++            check_kubernetes_api.nagios_exit(code, msg)
++
++            mock_print.assert_called_with(expected_output)
++            mock_sys_exit.assert_called_with(code)
++
++    @mock.patch("check_kubernetes_api.urllib3.PoolManager")
++    def test_kubernetes_health_ssl(self, mock_http_pool_manager):
++        """Test the check k8s health function called with expected ssl params."""
++        host_address = "https://1.1.1.1:1111"
++        token = "0123456789abcdef"
++        disable_ssl = True
++
++        mock_http_pool_manager.return_value.status = 200
++        mock_http_pool_manager.return_value.data = b"ok"
++
++        check_kubernetes_api.check_kubernetes_health(host_address, token, disable_ssl)
++        mock_http_pool_manager.assert_called_with(cert_reqs="CERT_NONE", assert_hostname=False)
++
++        disable_ssl = False
++        check_kubernetes_api.check_kubernetes_health(host_address, token, disable_ssl)
++        mock_http_pool_manager.assert_called_with()
++
++    @mock.patch("check_kubernetes_api.urllib3.PoolManager")
++    def test_kubernetes_health_status(self, mock_http_pool_manager):
++        """Test kubernetes health function."""
++        host_address = "https://1.1.1.1:1111"
++        token = "0123456789abcdef"
++        ssl_ca = "test/cert/path"
++
++        mock_http_pool_manager.return_value.request.return_value.status = 200
++        mock_http_pool_manager.return_value.request.return_value.data = b"ok"
++
++        # verify status OK
++        status, _ = check_kubernetes_api.check_kubernetes_health(host_address, token, ssl_ca)
++        self.assertEqual(status, check_kubernetes_api.NAGIOS_STATUS_OK)
++        mock_http_pool_manager.return_value.request.assert_called_once_with(
++            "GET", "{}/healthz".format(host_address), headers={"Authorization": "Bearer {}".format(token)}
++        )
++
++        mock_http_pool_manager.return_value.request.return_value.status = 500
++        mock_http_pool_manager.return_value.request.return_value.data = b"ok"
++        status, _ = check_kubernetes_api.check_kubernetes_health(host_address, token, ssl_ca)
++        self.assertEqual(status, check_kubernetes_api.NAGIOS_STATUS_CRITICAL)
++
++        mock_http_pool_manager.return_value.request.return_value.status = 200
++        mock_http_pool_manager.return_value.request.return_value.data = b"not ok"
++        status, _ = check_kubernetes_api.check_kubernetes_health(host_address, token, ssl_ca)
++        self.assertEqual(status, check_kubernetes_api.NAGIOS_STATUS_WARNING)
 diff --git a/tox.ini b/tox.ini
 new file mode 100644
 index 0000000..2f92371
 --- /dev/null
 +++ b/tox.ini
@@ -0,0 +1,52 @@
++[tox]
++skipsdist = True
++envlist = unit, func
++skip_missing_interpreters = True
++
++[testenv]
++basepython = python3
++setenv =
++  PYTHONPATH = {toxinidir}/lib/:{toxinidir}
++passenv =
++  HOME
++  MODEL_SETTINGS
++  CHARM_BUILD_DIR
++
++[testenv:unit]
++commands =
++    coverage run -m unittest discover -s {toxinidir}/tests/unit -v
++    coverage report \
++	--omit tests/*,mod/*,.tox/*
++    coverage html \
++	--omit tests/*,mod/*,.tox/*
++deps = -r{toxinidir}/tests/unit/requirements.txt
++
++[testenv:func]
++changedir = {toxinidir}/tests/functional
++commands = functest-run-suite {posargs}
++deps = -r{toxinidir}/tests/functional/requirements.txt
++
++[testenv:lint]
++commands =
++    flake8
++    black --check --line-length 120 --exclude /(\.eggs|\.git|\.tox|\.venv|build|dist|charmhelpers|mod)/ .
++deps =
++    black
++    flake8
++    flake8-docstrings
++    flake8-import-order
++    pep8-naming
++    flake8-colors
++
++[flake8]
++exclude =
++    .git,
++    __pycache__,
++    .tox,
++    mod,
++max-line-length = 120
++max-complexity = 10
++import-order-style = google
++
++[isort]
++force_to_top=setuppath