website: verify deployment internally

This checks that the website service is running and
accessible from within the cluster.
It doesn't check that the website is externally accessible.

platform/spire/resources/prometheus.yaml

@@ -135,3 +135,13 @@ scrape_configs:
       regex: (.+)
       target_label: __metrics_path__
       replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
+
+  - job_name: 'website-internal'
+    scheme: https
+    tls_config:
+      ca_file: /etc/homeworld/authorities/kubernetes.pem
+      cert_file: /etc/homeworld/keys/kubernetes-supervisor.pem
+      key_file: /etc/homeworld/keys/kubernetes-supervisor.key
+    static_configs:
+      - targets: ['{{APISERVER}}:443']
+    metrics_path: '/api/v1/namespaces/homeworld-website/services/homeworld-website/proxy/metrics'

platform/spire/src/seq.py

@@ -126,6 +126,8 @@ def sequence_cluster(ops: command.Operations) -> None:
     else:
         ops.add_operation("verify that user-grant is working properly", iterative_verifier(verify.check_user_grant, 120.0))
 
+    ops.add_command(iterative_verifier(verify.check_website, 120.0))
+
 
 main_command = command.SeqMux("commands about running large sequences of cluster bring-up automatically", {
     "keysystem": sequence_keysystem,

platform/spire/src/verify.py

@@ -354,6 +354,14 @@ def check_user_grant():
     print("autogenerated rolebinding for user", repr(authority.UPSTREAM_USER_NAME), "passed basic check!")
 
 
+
+@command.wrap
+def check_website():
+    "verify that the self-hosted website is running"
+    expect_prometheus_query_exact('sum(up{job="website-internal"})', 1, "website is accessible from inside the cluster")
+    print("self-hosted website is running")
+
+
 main_command = command.Mux("commands about verifying the state of a cluster", {
     "keystatics": check_keystatics,
     "keygateway": check_keygateway,
@@ -369,4 +377,5 @@ def check_user_grant():
     "flannel": check_flannel,
     "dns-addon": check_dns,
     "user-grant": check_user_grant,
+    "website": check_website,
 })