diff options
| -rw-r--r-- | playbooks/byo/openshift-cluster/check-cert-expiry.yaml | 35 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/check-cert-expiry.yaml | 44 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/README.md | 63 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/defaults/main.yml | 6 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/library/openshift_cert_expiry.py (renamed from library/openshift_cert_expiry.py) | 0 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/meta/main.yml | 15 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/tasks/main.yml | 23 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 (renamed from playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2) | 0 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/templates/save_json_results.j2 | 5 | 
9 files changed, 112 insertions, 79 deletions
| diff --git a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml b/playbooks/byo/openshift-cluster/check-cert-expiry.yaml deleted file mode 100644 index 39efdbd36..000000000 --- a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# check-cert-expiry.yaml - A utility for cluster ops to scan through -# (critical) certificates for the ongoing operations of a cluster. - -# We do not support all Ansible versions. This is our safety net. -- include: ../../common/openshift-cluster/verify_ansible_version.yml - -- name: Generate the l_oo_all_hosts group -  hosts: localhost -  connection: local -  become: no -  gather_facts: no -  tasks: -  - include_vars: cluster_hosts.yml -  - add_host: -      name: "{{ item }}" -      groups: l_oo_all_hosts -    with_items: "{{ g_all_hosts | default([]) }}" - -# This may seem redundant, running `include_vars` again on the list of -# hosts in the group 'l_oo_all_hosts' which we just created. But the -# fact of the matter is that if we don't re-run include_vars on the -# new host group we created, then they will not have access to those -# same group variables they were birthed from. -# -# Go ahead and try to 'debug: var=g_all_hosts' later on (without this -# play) and you'll find that the result is UNDEFINED VARIABLE. -- name: Inject cluster hosts variables into l_oo_all_hosts -  hosts: l_oo_all_hosts -  gather_facts: no -  tasks: -  - include_vars: cluster_hosts.yml - -# This is where the actual business gets started: -- include: ../../common/openshift-cluster/check-cert-expiry.yaml diff --git a/playbooks/common/openshift-cluster/check-cert-expiry.yaml b/playbooks/common/openshift-cluster/check-cert-expiry.yaml deleted file mode 100644 index b585fd849..000000000 --- a/playbooks/common/openshift-cluster/check-cert-expiry.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# --- -# # This must be evaluated after cluster_hosts.yml has been evaluated on -# # 'localhost' to generate l_oo_all_hosts and then subsequently -# # evaluated again on the generated hosts group (l_oo_all_hosts). -# - include: evaluate_groups.yml -#   tags: -#   - always - -# # Initialize cluster facts for oo_all_hosts using the openshift_facts -# # role followed by the 'common' role -# - include: initialize_facts.yml -#   tags: -#   - always - -# # Get the version to install from the first master, then synchronize -# # that variable across all in oo_all_hosts -# - include: initialize_openshift_version.yml -#   tags: -#   - always - -# # Earlier 'initialize_facts' included the openshift_facts role and -# # used the openshift_facts module with the 'role' parameter set to -# # 'common'. Now we're applying the openshift_facts role AGAIN but just -# # to the subset of oo_all_hosts which require configuring. -# - name: Load openshift_facts -#   hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config -#   roles: -#     - openshift_facts - -- hosts: all -  become: yes -  gather_facts: no -  tasks: -    - name: Check cert expirys on host -      openshift_cert_expiry: -        warning_days: 1500 -      register: check_results -    - name: Generate html -      become: no -      run_once: yes -      template: -        src: templates/cert-expiry-table.html.j2 -        dest: /tmp/cert-table.html -      delegate_to: localhost diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md new file mode 100644 index 000000000..75970c7a0 --- /dev/null +++ b/roles/openshift_certificate_expiry/README.md @@ -0,0 +1,63 @@ +OpenShift Certificate Expiration Checker +======================================== + +OpenShift certificate expiration checking. Be warned of certificates +expiring within a configurable window of days, and notified of +certificates which have already expired. Certificates examined +include: + +* Master/Node Service Certificates +* Router/Registry Service Certificates from etcd secrets +* Master/Node/Router/Registry/Admin `kubeconfig`s +* Etcd certificates + + + +Requirements +------------ + +* None + + +Role Variables +-------------- + +From this role: + +| Name                     | Default value | Description                                                                         | +|--------------------------|---------------|-------------------------------------------------------------------------------------| +| `config_base`            | `/etc/origin` | Base openshift config directory                                                     | +| `warning_days`           | `30`          | Flag certificates which will expire in this many days from now                      | +| `show_all`               | `False`       | Include healthy (non-expired and non-warning) certificates in results               | +| `generate_report`        | `False`       | Generate an HTML report of the expiry check results                                 | +| `save_json_results`      | `False`       | Save expiry check results as a json file                                            | +| `result_dir`             | `/tmp`        | Directory in which to put check results and generated reports                       | + + +Dependencies +------------ + +* None + +Example Playbook +---------------- + +``` +- name: Check cert expirys +  hosts: all +  become: yes +  gather_facts: no +  roles: +  - role: openshift_certificate_expiry +``` + + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Tim Bielawa (tbielawa@redhat.com) diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml new file mode 100644 index 000000000..5c077f450 --- /dev/null +++ b/roles/openshift_certificate_expiry/defaults/main.yml @@ -0,0 +1,6 @@ +--- +config_base: "/etc/origin" +warning_days: 30 +show_all: false +generate_report: false +result_dir: "/tmp" diff --git a/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index f18ab75d0..f18ab75d0 100644 --- a/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml new file mode 100644 index 000000000..dd66299ea --- /dev/null +++ b/roles/openshift_certificate_expiry/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: +  author: Tim Bielawa +  description: OpenShift Certificate Expiry Checker +  company: Red Hat, Inc. +  license: Apache License, Version 2.0 +  min_ansible_version: 2.1 +  platforms: +  - name: EL +    versions: +    - 7 +  categories: +  - cloud +  - system +dependencies: [] diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml new file mode 100644 index 000000000..def7d1284 --- /dev/null +++ b/roles/openshift_certificate_expiry/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Check cert expirys on host +  openshift_cert_expiry: +    warning_days: 1500 +  register: check_results + +- name: Generate html +  become: no +  run_once: yes +  template: +    src: cert-expiry-table.html.j2 +    dest: /tmp/cert-table.html +  delegate_to: localhost +  when: generate_report + +- name: Generate JSON +  become: no +  run_once: yes +  template: +    src: save_json_results.j2 +    dest: /tmp/cert-expiry-results.json +  delegate_to: localhost +  when: save_json_results diff --git a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 index f74d7f1ce..f74d7f1ce 100644 --- a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 +++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2 new file mode 100644 index 000000000..89602ac2b --- /dev/null +++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2 @@ -0,0 +1,5 @@ +{ +{% for host in play_hosts %} +"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %} +{% endfor %} +} | 
