summaryrefslogtreecommitdiffstats
path: root/roles/openshift_certificate_expiry
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_certificate_expiry')
-rw-r--r--roles/openshift_certificate_expiry/README.md138
-rw-r--r--roles/openshift_certificate_expiry/defaults/main.yml8
-rw-r--r--roles/openshift_certificate_expiry/library/openshift_cert_expiry.py13
-rw-r--r--roles/openshift_certificate_expiry/tasks/main.yml16
-rw-r--r--roles/openshift_certificate_expiry/templates/save_json_results.j23
5 files changed, 151 insertions, 27 deletions
diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md
index 75970c7a0..9b543a335 100644
--- a/roles/openshift_certificate_expiry/README.md
+++ b/roles/openshift_certificate_expiry/README.md
@@ -22,16 +22,22 @@ Requirements
Role Variables
--------------
-From this role:
+Core variables in this role:
-| Name | Default value | Description |
-|--------------------------|---------------|-------------------------------------------------------------------------------------|
-| `config_base` | `/etc/origin` | Base openshift config directory |
-| `warning_days` | `30` | Flag certificates which will expire in this many days from now |
-| `show_all` | `False` | Include healthy (non-expired and non-warning) certificates in results |
-| `generate_report` | `False` | Generate an HTML report of the expiry check results |
-| `save_json_results` | `False` | Save expiry check results as a json file |
-| `result_dir` | `/tmp` | Directory in which to put check results and generated reports |
+| Name | Default value | Description |
+|--------------------------|--------------------------------|-----------------------------------------------------------------------|
+| `config_base` | `/etc/origin` | Base openshift config directory |
+| `warning_days` | `30` | Flag certificates which will expire in this many days from now |
+| `show_all` | `no` | Include healthy (non-expired and non-warning) certificates in results |
+
+Optional report/result saving variables in this role:
+
+| Name | Default value | Description |
+|--------------------------|--------------------------------|-----------------------------------------------------------------------|
+| `generate_html_report` | `no` | Generate an HTML report of the expiry check results |
+| `html_report_path` | `/tmp/cert-expiry-report.html` | The full path to save the HTML report as |
+| `save_json_results` | `no` | Save expiry check results as a json file |
+| `json_results_path` | `/tmp/cert-expiry-report.json` | The full path to save the json report as |
Dependencies
@@ -42,16 +48,128 @@ Dependencies
Example Playbook
----------------
+Default behavior:
+
+```yaml
+---
+- name: Check cert expirys
+ hosts: all
+ become: yes
+ gather_facts: no
+ roles:
+ - role: openshift_certificate_expiry
+```
+
+Generate HTML and JSON artifacts in their default paths:
+
+```yaml
+---
+- name: Check cert expirys
+ hosts: all
+ become: yes
+ gather_facts: no
+ vars:
+ generate_html_report: yes
+ save_json_results: yes
+ roles:
+ - role: openshift_certificate_expiry
```
+
+Change the expiration warning window to 1500 days (good for testing
+the module out)
+
+```yaml
+---
- name: Check cert expirys
hosts: all
become: yes
gather_facts: no
+ vars:
+ warning_days: 1500
roles:
- - role: openshift_certificate_expiry
+ - role: openshift_certificate_expiry
```
+Example JSON Output
+-------------------
+
+Example is abbreviated to save space:
+
+```json
+{
+ "192.168.124.148": {
+ "etcd": [
+ {
+ "cert_cn": "CN:etcd-signer@1474563722",
+ "days_remaining": 350,
+ "expiry": "2017-09-22 17:02:25",
+ "health": "warning",
+ "path": "/etc/etcd/ca.crt"
+ },
+ ],
+ "kubeconfigs": [
+ {
+ "cert_cn": "O:system:nodes, CN:system:node:m01.example.com",
+ "days_remaining": 715,
+ "expiry": "2018-09-22 17:08:57",
+ "health": "warning",
+ "path": "/etc/origin/node/system:node:m01.example.com.kubeconfig"
+ },
+ {
+ "cert_cn": "O:system:cluster-admins, CN:system:admin",
+ "days_remaining": 715,
+ "expiry": "2018-09-22 17:04:40",
+ "health": "warning",
+ "path": "/etc/origin/master/admin.kubeconfig"
+ }
+ ],
+ "meta": {
+ "checked_at_time": "2016-10-07 15:26:47.608192",
+ "show_all": "True",
+ "warn_after_date": "2020-11-15 15:26:47.608192",
+ "warning_days": 1500
+ },
+ "ocp_certs": [
+ {
+ "cert_cn": "CN:172.30.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:m01.example.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, DNS:192.168.124.148, IP Address:172.30.0.1, IP Address:192.168.124.148",
+ "days_remaining": 715,
+ "expiry": "2018-09-22 17:04:39",
+ "health": "warning",
+ "path": "/etc/origin/master/master.server.crt"
+ },
+ {
+ "cert_cn": "CN:openshift-signer@1474563878",
+ "days_remaining": 1810,
+ "expiry": "2021-09-21 17:04:38",
+ "health": "ok",
+ "path": "/etc/origin/node/ca.crt"
+ }
+ ],
+ "registry": [
+ {
+ "cert_cn": "CN:172.30.101.81, DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.101.81, IP Address:172.30.101.81",
+ "days_remaining": 728,
+ "expiry": "2018-10-05 18:54:29",
+ "health": "warning",
+ "path": "/api/v1/namespaces/default/secrets/registry-certificates"
+ }
+ ],
+ "router": [
+ {
+ "cert_cn": "CN:router.default.svc, DNS:router.default.svc, DNS:router.default.svc.cluster.local",
+ "days_remaining": 715,
+ "expiry": "2018-09-22 17:48:23",
+ "health": "warning",
+ "path": "/api/v1/namespaces/default/secrets/router-certs"
+ }
+ ]
+ }
+}
+```
+
+
+
License
-------
diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml
index 5c077f450..c05617a75 100644
--- a/roles/openshift_certificate_expiry/defaults/main.yml
+++ b/roles/openshift_certificate_expiry/defaults/main.yml
@@ -1,6 +1,8 @@
---
config_base: "/etc/origin"
warning_days: 30
-show_all: false
-generate_report: false
-result_dir: "/tmp"
+show_all: no
+generate_html_report: no
+html_report_path: "/tmp/cert-expiry-report.html"
+save_json_results: no
+json_results_path: "/tmp/cert-expiry-report.json"
diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
index f18ab75d0..3b934d019 100644
--- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
+++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
@@ -281,11 +281,11 @@ an OpenShift Container Platform cluster
type='str'),
warning_days=dict(
required=False,
- default=int(30),
+ default=30,
type='int'),
show_all=dict(
required=False,
- default="False",
+ default=False,
type='bool')
),
supports_check_mode=True,
@@ -549,8 +549,6 @@ an OpenShift Container Platform cluster
classify_cert(expire_check_result, now, time_remaining, expire_window, router_certs)
- check_results['router'] = router_certs
-
######################################################################
# Now for registry
# registry_secrets = subprocess.call('oc get secret registry-certificates -o yaml'.split())
@@ -579,8 +577,6 @@ an OpenShift Container Platform cluster
classify_cert(expire_check_result, now, time_remaining, expire_window, registry_certs)
- check_results['registry'] = registry_certs
-
######################################################################
# /Check router/registry certs
######################################################################
@@ -602,10 +598,15 @@ an OpenShift Container Platform cluster
check_results['ocp_certs'] = [crt for crt in ocp_certs if crt['health'] in ['expired', 'warning']]
check_results['kubeconfigs'] = [crt for crt in kubeconfigs if crt['health'] in ['expired', 'warning']]
check_results['etcd'] = [crt for crt in etcd_certs if crt['health'] in ['expired', 'warning']]
+ check_results['registry'] = [crt for crt in registry_certs if crt['health'] in ['expired', 'warning']]
+ check_results['router'] = [crt for crt in router_certs if crt['health'] in ['expired', 'warning']]
else:
check_results['ocp_certs'] = ocp_certs
check_results['kubeconfigs'] = kubeconfigs
check_results['etcd'] = etcd_certs
+ check_results['registry'] = registry_certs
+ check_results['router'] = router_certs
+
# Sort the final results to report in order of ascending safety
# time. That is to say, the certificates which will expire sooner
diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml
index def7d1284..88bc02efe 100644
--- a/roles/openshift_certificate_expiry/tasks/main.yml
+++ b/roles/openshift_certificate_expiry/tasks/main.yml
@@ -1,23 +1,25 @@
---
- name: Check cert expirys on host
openshift_cert_expiry:
- warning_days: 1500
+ warning_days: "{{ warning_days|int }}"
+ config_base: "{{ config_base }}"
+ show_all: "{{ show_all|bool }}"
register: check_results
-- name: Generate html
+- name: Generate expiration report HTML
become: no
run_once: yes
template:
src: cert-expiry-table.html.j2
- dest: /tmp/cert-table.html
+ dest: "{{ html_report_path }}"
delegate_to: localhost
- when: generate_report
+ when: "{{ generate_html_report|bool }}"
-- name: Generate JSON
+- name: Generate expiration results JSON
become: no
run_once: yes
template:
src: save_json_results.j2
- dest: /tmp/cert-expiry-results.json
+ dest: "{{ json_results_path }}"
delegate_to: localhost
- when: save_json_results
+ when: "{{ save_json_results|bool }}"
diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2
index 89602ac2b..fe2800548 100644
--- a/roles/openshift_certificate_expiry/templates/save_json_results.j2
+++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2
@@ -1,5 +1,6 @@
{
{% for host in play_hosts %}
-"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %}
+ "{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=4) }}{% if not loop.last %},
+{% endif %}
{% endfor %}
}