From 931499b7cf9d4e03f2dcd4449650986d31886362 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Mon, 3 Oct 2016 08:20:38 -0700 Subject: Try to make boiler plate for cert expiry checking --- .../byo/openshift-cluster/check-cert-expiry.yaml | 35 ++++++++++++++++++++ .../openshift-cluster/check-cert-expiry.yaml | 37 ++++++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 playbooks/byo/openshift-cluster/check-cert-expiry.yaml create mode 100644 playbooks/common/openshift-cluster/check-cert-expiry.yaml (limited to 'playbooks') diff --git a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml b/playbooks/byo/openshift-cluster/check-cert-expiry.yaml new file mode 100644 index 000000000..39efdbd36 --- /dev/null +++ b/playbooks/byo/openshift-cluster/check-cert-expiry.yaml @@ -0,0 +1,35 @@ +--- +# check-cert-expiry.yaml - A utility for cluster ops to scan through +# (critical) certificates for the ongoing operations of a cluster. + +# We do not support all Ansible versions. This is our safety net. +- include: ../../common/openshift-cluster/verify_ansible_version.yml + +- name: Generate the l_oo_all_hosts group + hosts: localhost + connection: local + become: no + gather_facts: no + tasks: + - include_vars: cluster_hosts.yml + - add_host: + name: "{{ item }}" + groups: l_oo_all_hosts + with_items: "{{ g_all_hosts | default([]) }}" + +# This may seem redundant, running `include_vars` again on the list of +# hosts in the group 'l_oo_all_hosts' which we just created. But the +# fact of the matter is that if we don't re-run include_vars on the +# new host group we created, then they will not have access to those +# same group variables they were birthed from. +# +# Go ahead and try to 'debug: var=g_all_hosts' later on (without this +# play) and you'll find that the result is UNDEFINED VARIABLE. +- name: Inject cluster hosts variables into l_oo_all_hosts + hosts: l_oo_all_hosts + gather_facts: no + tasks: + - include_vars: cluster_hosts.yml + +# This is where the actual business gets started: +- include: ../../common/openshift-cluster/check-cert-expiry.yaml diff --git a/playbooks/common/openshift-cluster/check-cert-expiry.yaml b/playbooks/common/openshift-cluster/check-cert-expiry.yaml new file mode 100644 index 000000000..e160383af --- /dev/null +++ b/playbooks/common/openshift-cluster/check-cert-expiry.yaml @@ -0,0 +1,37 @@ +# --- +# # This must be evaluated after cluster_hosts.yml has been evaluated on +# # 'localhost' to generate l_oo_all_hosts and then subsequently +# # evaluated again on the generated hosts group (l_oo_all_hosts). +# - include: evaluate_groups.yml +# tags: +# - always + +# # Initialize cluster facts for oo_all_hosts using the openshift_facts +# # role followed by the 'common' role +# - include: initialize_facts.yml +# tags: +# - always + +# # Get the version to install from the first master, then synchronize +# # that variable across all in oo_all_hosts +# - include: initialize_openshift_version.yml +# tags: +# - always + +# # Earlier 'initialize_facts' included the openshift_facts role and +# # used the openshift_facts module with the 'role' parameter set to +# # 'common'. Now we're applying the openshift_facts role AGAIN but just +# # to the subset of oo_all_hosts which require configuring. +# - name: Load openshift_facts +# hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config +# roles: +# - openshift_facts + +- hosts: all + become: yes + gather_facts: no + tasks: + - name: Check cert expirys on host + openshift_cert_expiry: + warning_days: 1500 + show_all: true -- cgit v1.2.3