summaryrefslogtreecommitdiffstats
path: root/roles/openshift_certificate_expiry
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_certificate_expiry')
-rw-r--r--roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py88
-rw-r--r--roles/openshift_certificate_expiry/library/openshift_cert_expiry.py18
-rw-r--r--roles/openshift_certificate_expiry/meta/main.yml1
-rw-r--r--roles/openshift_certificate_expiry/tasks/main.yml7
-rw-r--r--roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j22
-rw-r--r--roles/openshift_certificate_expiry/templates/save_json_results.j221
6 files changed, 105 insertions, 32 deletions
diff --git a/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py
new file mode 100644
index 000000000..2e2430ee6
--- /dev/null
+++ b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# vim: expandtab:tabstop=4:shiftwidth=4
+"""
+Custom filters for use in openshift-ansible
+"""
+
+from ansible import errors
+from collections import Mapping
+from distutils.util import strtobool
+from distutils.version import LooseVersion
+from operator import itemgetter
+import OpenSSL.crypto
+import os
+import pdb
+import pkg_resources
+import re
+import json
+import yaml
+from ansible.parsing.yaml.dumper import AnsibleDumper
+from urlparse import urlparse
+
+try:
+ # ansible-2.2
+ # ansible.utils.unicode.to_unicode is deprecated in ansible-2.2,
+ # ansible.module_utils._text.to_text should be used instead.
+ from ansible.module_utils._text import to_text
+except ImportError:
+ # ansible-2.1
+ from ansible.utils.unicode import to_unicode as to_text
+
+# Disabling too-many-public-methods, since filter methods are necessarily
+# public
+# pylint: disable=too-many-public-methods
+class FilterModule(object):
+ """ Custom ansible filters """
+
+ @staticmethod
+ def oo_cert_expiry_results_to_json(hostvars, play_hosts):
+ """Takes results (`hostvars`) from the openshift_cert_expiry role
+check and serializes them into proper machine-readable JSON
+output. This filter parameter **MUST** be the playbook `hostvars`
+variable. The `play_hosts` parameter is so we know what to loop over
+when we're extrating the values.
+
+Returns:
+
+Results are collected into two top-level keys under the `json_results`
+dict:
+
+* `json_results.data` [dict] - Each individual host check result, keys are hostnames
+* `json_results.summary` [dict] - Summary of number of `warning` and `expired`
+certificates
+
+Example playbook usage:
+
+ - name: Generate expiration results JSON
+ become: no
+ run_once: yes
+ delegate_to: localhost
+ when: "{{ openshift_certificate_expiry_save_json_results|bool }}"
+ copy:
+ content: "{{ hostvars|oo_cert_expiry_results_to_json() }}"
+ dest: "{{ openshift_certificate_expiry_json_results_path }}"
+
+ """
+ json_result = {
+ 'data': {},
+ 'summary': {},
+ }
+
+ for host in play_hosts:
+ json_result['data'][host] = hostvars[host]['check_results']['check_results']
+
+ total_warnings = sum([hostvars[h]['check_results']['summary']['warning'] for h in play_hosts])
+ total_expired = sum([hostvars[h]['check_results']['summary']['expired'] for h in play_hosts])
+
+ json_result['summary']['warning'] = total_warnings
+ json_result['summary']['expired'] = total_expired
+
+ return json_result
+
+
+ def filters(self):
+ """ returns a mapping of filters to methods """
+ return {
+ "oo_cert_expiry_results_to_json": self.oo_cert_expiry_results_to_json,
+ }
diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
index 6e27a7ebd..1d0507537 100644
--- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
+++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
@@ -36,7 +36,7 @@ description:
- C(days_remaining) - The number of days until the certificate expires.
- C(expiry) - The date the certificate expires on.
- C(path) - The full path to the certificate on the examined host.
-version_added: "0.0"
+version_added: "1.0"
options:
config_base:
description:
@@ -127,13 +127,6 @@ A 3-tuple of the form: (certificate_common_name, certificate_expiry_date, certif
OpenSSL.crypto.FILETYPE_PEM, _cert_string)
######################################################################
- # Read just the first name from the cert - DISABLED while testing
- # out the 'get all possible names' function (below)
- #
- # Strip the subject down to just the value of the first name
- # cert_subject = cert_loaded.get_subject().get_components()[0][1]
-
- ######################################################################
# Read all possible names from the cert
cert_subjects = []
for name, value in cert_loaded.get_subject().get_components():
@@ -227,7 +220,7 @@ Return:
def tabulate_summary(certificates, kubeconfigs, etcd_certs, router_certs, registry_certs):
"""Calculate the summary text for when the module finishes
-running. This includes counds of each classification and what have
+running. This includes counts of each classification and what have
you.
Params:
@@ -236,6 +229,7 @@ Params:
dicts with filled in `health` keys for system certificates.
- `kubeconfigs` - as above for kubeconfigs
- `etcd_certs` - as above for etcd certs
+
Return:
- `summary_results` (dict) - Counts of each cert type classification
@@ -290,7 +284,7 @@ an OpenShift Container Platform cluster
supports_check_mode=True,
)
- # Basic scaffolding for OpenShift spcific certs
+ # Basic scaffolding for OpenShift specific certs
openshift_base_config_path = module.params['config_base']
openshift_master_config_path = os.path.normpath(
os.path.join(openshift_base_config_path, "master/master-config.yaml")
@@ -317,6 +311,10 @@ an OpenShift Container Platform cluster
)
)
+ # Validate some paths we have the ability to do ahead of time
+ openshift_cert_check_paths = filter_paths(openshift_cert_check_paths)
+ kubeconfig_paths = filter_paths(kubeconfig_paths)
+
# etcd, where do you hide your certs? Used when parsing etcd.conf
etcd_cert_params = [
"ETCD_CA_FILE",
diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml
index dd66299ea..c13b29ba5 100644
--- a/roles/openshift_certificate_expiry/meta/main.yml
+++ b/roles/openshift_certificate_expiry/meta/main.yml
@@ -5,6 +5,7 @@ galaxy_info:
company: Red Hat, Inc.
license: Apache License, Version 2.0
min_ansible_version: 2.1
+ version: 1.0
platforms:
- name: EL
versions:
diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml
index b78209055..139d5de6e 100644
--- a/roles/openshift_certificate_expiry/tasks/main.yml
+++ b/roles/openshift_certificate_expiry/tasks/main.yml
@@ -15,7 +15,12 @@
delegate_to: localhost
when: "{{ openshift_certificate_expiry_generate_html_report|bool }}"
-- name: Generate expiration results JSON
+- name: Generate the result JSON string
+ run_once: yes
+ set_fact: json_result_string="{{ hostvars|oo_cert_expiry_results_to_json(play_hosts) }}"
+ when: "{{ openshift_certificate_expiry_save_json_results|bool }}"
+
+- name: Generate results JSON file
become: no
run_once: yes
template:
diff --git a/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
index f74d7f1ce..b05110336 100644
--- a/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
+++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
@@ -64,7 +64,7 @@
</p>
<ul>
<li><b>Expirations checked at:</b> {{ hostvars[host].check_results.check_results.meta.checked_at_time }}</li>
- <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_after_date }}</li>
+ <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_before_date }}</li>
</ul>
<table border="1" width="100%">
diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2
index 9b165f26c..c1173d9ea 100644
--- a/roles/openshift_certificate_expiry/templates/save_json_results.j2
+++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2
@@ -1,20 +1 @@
-{
- "data": {
-{% for host in play_hosts %}
-{# Pretty print the check results for each host #}
- "{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=6) }}{% if not loop.last %},
-{% else %}
-
-{% endif %}
-{% endfor %}
- },
-{# extract the nested warning/expired value from the hostvars object
-using items in the playhosts list as a map. Wrap those results up into
-a list and then add them all together #}
-{%- set warned = play_hosts|map('extract', hostvars, ['check_results', 'summary', 'warning'])|list|sum %}
-{%- set expired = play_hosts|map('extract', hostvars, ['check_results', 'summary', 'expired'])|list|sum %}
- "summary": {
- "warning": {{ warned }},
- "expired": {{ expired }}
- }
-}
+{{ json_result_string | to_nice_json(indent=2)}}