diff options
Diffstat (limited to 'roles/openshift_certificate_expiry')
6 files changed, 105 insertions, 32 deletions
diff --git a/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py new file mode 100644 index 000000000..2e2430ee6 --- /dev/null +++ b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py @@ -0,0 +1,88 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# vim: expandtab:tabstop=4:shiftwidth=4 +""" +Custom filters for use in openshift-ansible +""" + +from ansible import errors +from collections import Mapping +from distutils.util import strtobool +from distutils.version import LooseVersion +from operator import itemgetter +import OpenSSL.crypto +import os +import pdb +import pkg_resources +import re +import json +import yaml +from ansible.parsing.yaml.dumper import AnsibleDumper +from urlparse import urlparse + +try: + # ansible-2.2 + # ansible.utils.unicode.to_unicode is deprecated in ansible-2.2, + # ansible.module_utils._text.to_text should be used instead. + from ansible.module_utils._text import to_text +except ImportError: + # ansible-2.1 + from ansible.utils.unicode import to_unicode as to_text + +# Disabling too-many-public-methods, since filter methods are necessarily +# public +# pylint: disable=too-many-public-methods +class FilterModule(object): + """ Custom ansible filters """ + + @staticmethod + def oo_cert_expiry_results_to_json(hostvars, play_hosts): + """Takes results (`hostvars`) from the openshift_cert_expiry role +check and serializes them into proper machine-readable JSON +output. This filter parameter **MUST** be the playbook `hostvars` +variable. The `play_hosts` parameter is so we know what to loop over +when we're extrating the values. + +Returns: + +Results are collected into two top-level keys under the `json_results` +dict: + +* `json_results.data` [dict] - Each individual host check result, keys are hostnames +* `json_results.summary` [dict] - Summary of number of `warning` and `expired` +certificates + +Example playbook usage: + + - name: Generate expiration results JSON + become: no + run_once: yes + delegate_to: localhost + when: "{{ openshift_certificate_expiry_save_json_results|bool }}" + copy: + content: "{{ hostvars|oo_cert_expiry_results_to_json() }}" + dest: "{{ openshift_certificate_expiry_json_results_path }}" + + """ + json_result = { + 'data': {}, + 'summary': {}, + } + + for host in play_hosts: + json_result['data'][host] = hostvars[host]['check_results']['check_results'] + + total_warnings = sum([hostvars[h]['check_results']['summary']['warning'] for h in play_hosts]) + total_expired = sum([hostvars[h]['check_results']['summary']['expired'] for h in play_hosts]) + + json_result['summary']['warning'] = total_warnings + json_result['summary']['expired'] = total_expired + + return json_result + + + def filters(self): + """ returns a mapping of filters to methods """ + return { + "oo_cert_expiry_results_to_json": self.oo_cert_expiry_results_to_json, + } diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index 6e27a7ebd..1d0507537 100644 --- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py @@ -36,7 +36,7 @@ description: - C(days_remaining) - The number of days until the certificate expires. - C(expiry) - The date the certificate expires on. - C(path) - The full path to the certificate on the examined host. -version_added: "0.0" +version_added: "1.0" options: config_base: description: @@ -127,13 +127,6 @@ A 3-tuple of the form: (certificate_common_name, certificate_expiry_date, certif OpenSSL.crypto.FILETYPE_PEM, _cert_string) ###################################################################### - # Read just the first name from the cert - DISABLED while testing - # out the 'get all possible names' function (below) - # - # Strip the subject down to just the value of the first name - # cert_subject = cert_loaded.get_subject().get_components()[0][1] - - ###################################################################### # Read all possible names from the cert cert_subjects = [] for name, value in cert_loaded.get_subject().get_components(): @@ -227,7 +220,7 @@ Return: def tabulate_summary(certificates, kubeconfigs, etcd_certs, router_certs, registry_certs): """Calculate the summary text for when the module finishes -running. This includes counds of each classification and what have +running. This includes counts of each classification and what have you. Params: @@ -236,6 +229,7 @@ Params: dicts with filled in `health` keys for system certificates. - `kubeconfigs` - as above for kubeconfigs - `etcd_certs` - as above for etcd certs + Return: - `summary_results` (dict) - Counts of each cert type classification @@ -290,7 +284,7 @@ an OpenShift Container Platform cluster supports_check_mode=True, ) - # Basic scaffolding for OpenShift spcific certs + # Basic scaffolding for OpenShift specific certs openshift_base_config_path = module.params['config_base'] openshift_master_config_path = os.path.normpath( os.path.join(openshift_base_config_path, "master/master-config.yaml") @@ -317,6 +311,10 @@ an OpenShift Container Platform cluster ) ) + # Validate some paths we have the ability to do ahead of time + openshift_cert_check_paths = filter_paths(openshift_cert_check_paths) + kubeconfig_paths = filter_paths(kubeconfig_paths) + # etcd, where do you hide your certs? Used when parsing etcd.conf etcd_cert_params = [ "ETCD_CA_FILE", diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml index dd66299ea..c13b29ba5 100644 --- a/roles/openshift_certificate_expiry/meta/main.yml +++ b/roles/openshift_certificate_expiry/meta/main.yml @@ -5,6 +5,7 @@ galaxy_info: company: Red Hat, Inc. license: Apache License, Version 2.0 min_ansible_version: 2.1 + version: 1.0 platforms: - name: EL versions: diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml index b78209055..139d5de6e 100644 --- a/roles/openshift_certificate_expiry/tasks/main.yml +++ b/roles/openshift_certificate_expiry/tasks/main.yml @@ -15,7 +15,12 @@ delegate_to: localhost when: "{{ openshift_certificate_expiry_generate_html_report|bool }}" -- name: Generate expiration results JSON +- name: Generate the result JSON string + run_once: yes + set_fact: json_result_string="{{ hostvars|oo_cert_expiry_results_to_json(play_hosts) }}" + when: "{{ openshift_certificate_expiry_save_json_results|bool }}" + +- name: Generate results JSON file become: no run_once: yes template: diff --git a/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 index f74d7f1ce..b05110336 100644 --- a/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 +++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 @@ -64,7 +64,7 @@ </p> <ul> <li><b>Expirations checked at:</b> {{ hostvars[host].check_results.check_results.meta.checked_at_time }}</li> - <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_after_date }}</li> + <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_before_date }}</li> </ul> <table border="1" width="100%"> diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2 index 9b165f26c..c1173d9ea 100644 --- a/roles/openshift_certificate_expiry/templates/save_json_results.j2 +++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2 @@ -1,20 +1 @@ -{ - "data": { -{% for host in play_hosts %} -{# Pretty print the check results for each host #} - "{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=6) }}{% if not loop.last %}, -{% else %} - -{% endif %} -{% endfor %} - }, -{# extract the nested warning/expired value from the hostvars object -using items in the playhosts list as a map. Wrap those results up into -a list and then add them all together #} -{%- set warned = play_hosts|map('extract', hostvars, ['check_results', 'summary', 'warning'])|list|sum %} -{%- set expired = play_hosts|map('extract', hostvars, ['check_results', 'summary', 'expired'])|list|sum %} - "summary": { - "warning": {{ warned }}, - "expired": {{ expired }} - } -} +{{ json_result_string | to_nice_json(indent=2)}} |