diff options
author | Tim Bielawa <tbielawa@redhat.com> | 2016-11-18 10:39:31 -0800 |
---|---|---|
committer | Tim Bielawa <tbielawa@redhat.com> | 2016-12-15 10:45:15 -0800 |
commit | f9731780168e117e20471069f32a89056ac07d45 (patch) | |
tree | 3c3713e427aa3652e02da338edf71ccd6cf6fea9 /roles/openshift_certificate_expiry | |
parent | 4bde8aa816fdca2aafe7626468e211c426caa7b9 (diff) | |
download | openshift-f9731780168e117e20471069f32a89056ac07d45.tar.gz openshift-f9731780168e117e20471069f32a89056ac07d45.tar.bz2 openshift-f9731780168e117e20471069f32a89056ac07d45.tar.xz openshift-f9731780168e117e20471069f32a89056ac07d45.zip |
Check embedded etcd certs now, too
* Addresses RFE in
https://bugzilla.redhat.com/show_bug.cgi?id=1389264
Diffstat (limited to 'roles/openshift_certificate_expiry')
-rw-r--r-- | roles/openshift_certificate_expiry/library/openshift_cert_expiry.py | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index d467d0cc8..1fac284f2 100644 --- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py @@ -246,8 +246,7 @@ Return: 'total': len(items), 'ok': 0, 'warning': 0, - 'expired': 0, - 'total': len(items) + 'expired': 0 } summary_results['expired'] = len([c for c in items if c['health'] == 'expired']) @@ -468,7 +467,11 @@ an OpenShift Container Platform cluster ###################################################################### # Check etcd certs + # + # Two things to check: 'external' etcd, and embedded etcd. ###################################################################### + # FIRST: The 'external' etcd + # # Some values may be duplicated, make this a set for now so we # unique them all etcd_certs_to_check = set([]) @@ -507,6 +510,43 @@ an OpenShift Container Platform cluster classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs) ###################################################################### + # Now the embedded etcd + ###################################################################### + try: + with open('/etc/origin/master/master-config.yaml', 'r') as fp: + cfg = yaml.load(fp) + except IOError: + # Not present + pass + else: + if cfg.get('etcdConfig', {}).get('servingInfo', {}).get('certFile', None) is not None: + # This is embedded + etcd_crt_name = cfg['etcdConfig']['servingInfo']['certFile'] + else: + # Not embedded + etcd_crt_name = None + + if etcd_crt_name is not None: + # etcd_crt_name is relative to the location of the + # master-config.yaml file + cfg_path = os.path.dirname(fp.name) + etcd_cert = os.path.join(cfg_path, etcd_crt_name) + with open(etcd_cert, 'r') as etcd_fp: + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(etcd_fp.read(), now) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': etcd_fp.name, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs) + + ###################################################################### # /Check etcd certs ###################################################################### @@ -524,7 +564,7 @@ an OpenShift Container Platform cluster ###################################################################### # First the router certs try: - router_secrets_raw = subprocess.Popen('oc get secret router-certs -o yaml'.split(), + router_secrets_raw = subprocess.Popen('oc get -n default secret router-certs -o yaml'.split(), stdout=subprocess.PIPE) router_ds = yaml.load(router_secrets_raw.communicate()[0]) router_c = router_ds['data']['tls.crt'] @@ -553,7 +593,7 @@ an OpenShift Container Platform cluster ###################################################################### # Now for registry try: - registry_secrets_raw = subprocess.Popen('oc get secret registry-certificates -o yaml'.split(), + registry_secrets_raw = subprocess.Popen('oc get -n default secret registry-certificates -o yaml'.split(), stdout=subprocess.PIPE) registry_ds = yaml.load(registry_secrets_raw.communicate()[0]) registry_c = registry_ds['data']['registry.crt'] |