diff options
-rw-r--r-- | roles/openshift_certificate_expiry/README.md | 138 | ||||
-rw-r--r-- | roles/openshift_certificate_expiry/defaults/main.yml | 8 | ||||
-rw-r--r-- | roles/openshift_certificate_expiry/library/openshift_cert_expiry.py | 13 | ||||
-rw-r--r-- | roles/openshift_certificate_expiry/tasks/main.yml | 16 | ||||
-rw-r--r-- | roles/openshift_certificate_expiry/templates/save_json_results.j2 | 3 | ||||
-rw-r--r-- | utils/Makefile | 6 |
6 files changed, 154 insertions, 30 deletions
diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md index 75970c7a0..9b543a335 100644 --- a/roles/openshift_certificate_expiry/README.md +++ b/roles/openshift_certificate_expiry/README.md @@ -22,16 +22,22 @@ Requirements Role Variables -------------- -From this role: +Core variables in this role: -| Name | Default value | Description | -|--------------------------|---------------|-------------------------------------------------------------------------------------| -| `config_base` | `/etc/origin` | Base openshift config directory | -| `warning_days` | `30` | Flag certificates which will expire in this many days from now | -| `show_all` | `False` | Include healthy (non-expired and non-warning) certificates in results | -| `generate_report` | `False` | Generate an HTML report of the expiry check results | -| `save_json_results` | `False` | Save expiry check results as a json file | -| `result_dir` | `/tmp` | Directory in which to put check results and generated reports | +| Name | Default value | Description | +|--------------------------|--------------------------------|-----------------------------------------------------------------------| +| `config_base` | `/etc/origin` | Base openshift config directory | +| `warning_days` | `30` | Flag certificates which will expire in this many days from now | +| `show_all` | `no` | Include healthy (non-expired and non-warning) certificates in results | + +Optional report/result saving variables in this role: + +| Name | Default value | Description | +|--------------------------|--------------------------------|-----------------------------------------------------------------------| +| `generate_html_report` | `no` | Generate an HTML report of the expiry check results | +| `html_report_path` | `/tmp/cert-expiry-report.html` | The full path to save the HTML report as | +| `save_json_results` | `no` | Save expiry check results as a json file | +| `json_results_path` | `/tmp/cert-expiry-report.json` | The full path to save the json report as | Dependencies @@ -42,16 +48,128 @@ Dependencies Example Playbook ---------------- +Default behavior: + +```yaml +--- +- name: Check cert expirys + hosts: all + become: yes + gather_facts: no + roles: + - role: openshift_certificate_expiry +``` + +Generate HTML and JSON artifacts in their default paths: + +```yaml +--- +- name: Check cert expirys + hosts: all + become: yes + gather_facts: no + vars: + generate_html_report: yes + save_json_results: yes + roles: + - role: openshift_certificate_expiry ``` + +Change the expiration warning window to 1500 days (good for testing +the module out) + +```yaml +--- - name: Check cert expirys hosts: all become: yes gather_facts: no + vars: + warning_days: 1500 roles: - - role: openshift_certificate_expiry + - role: openshift_certificate_expiry ``` +Example JSON Output +------------------- + +Example is abbreviated to save space: + +```json +{ + "192.168.124.148": { + "etcd": [ + { + "cert_cn": "CN:etcd-signer@1474563722", + "days_remaining": 350, + "expiry": "2017-09-22 17:02:25", + "health": "warning", + "path": "/etc/etcd/ca.crt" + }, + ], + "kubeconfigs": [ + { + "cert_cn": "O:system:nodes, CN:system:node:m01.example.com", + "days_remaining": 715, + "expiry": "2018-09-22 17:08:57", + "health": "warning", + "path": "/etc/origin/node/system:node:m01.example.com.kubeconfig" + }, + { + "cert_cn": "O:system:cluster-admins, CN:system:admin", + "days_remaining": 715, + "expiry": "2018-09-22 17:04:40", + "health": "warning", + "path": "/etc/origin/master/admin.kubeconfig" + } + ], + "meta": { + "checked_at_time": "2016-10-07 15:26:47.608192", + "show_all": "True", + "warn_after_date": "2020-11-15 15:26:47.608192", + "warning_days": 1500 + }, + "ocp_certs": [ + { + "cert_cn": "CN:172.30.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:m01.example.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, DNS:192.168.124.148, IP Address:172.30.0.1, IP Address:192.168.124.148", + "days_remaining": 715, + "expiry": "2018-09-22 17:04:39", + "health": "warning", + "path": "/etc/origin/master/master.server.crt" + }, + { + "cert_cn": "CN:openshift-signer@1474563878", + "days_remaining": 1810, + "expiry": "2021-09-21 17:04:38", + "health": "ok", + "path": "/etc/origin/node/ca.crt" + } + ], + "registry": [ + { + "cert_cn": "CN:172.30.101.81, DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.101.81, IP Address:172.30.101.81", + "days_remaining": 728, + "expiry": "2018-10-05 18:54:29", + "health": "warning", + "path": "/api/v1/namespaces/default/secrets/registry-certificates" + } + ], + "router": [ + { + "cert_cn": "CN:router.default.svc, DNS:router.default.svc, DNS:router.default.svc.cluster.local", + "days_remaining": 715, + "expiry": "2018-09-22 17:48:23", + "health": "warning", + "path": "/api/v1/namespaces/default/secrets/router-certs" + } + ] + } +} +``` + + + License ------- diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml index 5c077f450..c05617a75 100644 --- a/roles/openshift_certificate_expiry/defaults/main.yml +++ b/roles/openshift_certificate_expiry/defaults/main.yml @@ -1,6 +1,8 @@ --- config_base: "/etc/origin" warning_days: 30 -show_all: false -generate_report: false -result_dir: "/tmp" +show_all: no +generate_html_report: no +html_report_path: "/tmp/cert-expiry-report.html" +save_json_results: no +json_results_path: "/tmp/cert-expiry-report.json" diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index f18ab75d0..3b934d019 100644 --- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py @@ -281,11 +281,11 @@ an OpenShift Container Platform cluster type='str'), warning_days=dict( required=False, - default=int(30), + default=30, type='int'), show_all=dict( required=False, - default="False", + default=False, type='bool') ), supports_check_mode=True, @@ -549,8 +549,6 @@ an OpenShift Container Platform cluster classify_cert(expire_check_result, now, time_remaining, expire_window, router_certs) - check_results['router'] = router_certs - ###################################################################### # Now for registry # registry_secrets = subprocess.call('oc get secret registry-certificates -o yaml'.split()) @@ -579,8 +577,6 @@ an OpenShift Container Platform cluster classify_cert(expire_check_result, now, time_remaining, expire_window, registry_certs) - check_results['registry'] = registry_certs - ###################################################################### # /Check router/registry certs ###################################################################### @@ -602,10 +598,15 @@ an OpenShift Container Platform cluster check_results['ocp_certs'] = [crt for crt in ocp_certs if crt['health'] in ['expired', 'warning']] check_results['kubeconfigs'] = [crt for crt in kubeconfigs if crt['health'] in ['expired', 'warning']] check_results['etcd'] = [crt for crt in etcd_certs if crt['health'] in ['expired', 'warning']] + check_results['registry'] = [crt for crt in registry_certs if crt['health'] in ['expired', 'warning']] + check_results['router'] = [crt for crt in router_certs if crt['health'] in ['expired', 'warning']] else: check_results['ocp_certs'] = ocp_certs check_results['kubeconfigs'] = kubeconfigs check_results['etcd'] = etcd_certs + check_results['registry'] = registry_certs + check_results['router'] = router_certs + # Sort the final results to report in order of ascending safety # time. That is to say, the certificates which will expire sooner diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml index def7d1284..88bc02efe 100644 --- a/roles/openshift_certificate_expiry/tasks/main.yml +++ b/roles/openshift_certificate_expiry/tasks/main.yml @@ -1,23 +1,25 @@ --- - name: Check cert expirys on host openshift_cert_expiry: - warning_days: 1500 + warning_days: "{{ warning_days|int }}" + config_base: "{{ config_base }}" + show_all: "{{ show_all|bool }}" register: check_results -- name: Generate html +- name: Generate expiration report HTML become: no run_once: yes template: src: cert-expiry-table.html.j2 - dest: /tmp/cert-table.html + dest: "{{ html_report_path }}" delegate_to: localhost - when: generate_report + when: "{{ generate_html_report|bool }}" -- name: Generate JSON +- name: Generate expiration results JSON become: no run_once: yes template: src: save_json_results.j2 - dest: /tmp/cert-expiry-results.json + dest: "{{ json_results_path }}" delegate_to: localhost - when: save_json_results + when: "{{ save_json_results|bool }}" diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2 index 89602ac2b..fe2800548 100644 --- a/roles/openshift_certificate_expiry/templates/save_json_results.j2 +++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2 @@ -1,5 +1,6 @@ { {% for host in play_hosts %} -"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %} + "{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=4) }}{% if not loop.last %}, +{% endif %} {% endfor %} } diff --git a/utils/Makefile b/utils/Makefile index bc708964b..62f08f74b 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -82,7 +82,7 @@ ci-pylint: @echo "#############################################" @echo "# Running PyLint Tests in virtualenv" @echo "#############################################" - . $(NAME)env/bin/activate && python -m pylint --rcfile ../git/.pylintrc src/ooinstall/cli_installer.py src/ooinstall/oo_config.py src/ooinstall/openshift_ansible.py src/ooinstall/variants.py ../callback_plugins/openshift_quick_installer.py ../library/openshift_cert_expiry.py + . $(NAME)env/bin/activate && python -m pylint --rcfile ../git/.pylintrc src/ooinstall/cli_installer.py src/ooinstall/oo_config.py src/ooinstall/openshift_ansible.py src/ooinstall/variants.py ../callback_plugins/openshift_quick_installer.py ../roles/openshift_certificate_expiry/library/openshift_cert_expiry.py ci-list-deps: @echo "#############################################" @@ -96,7 +96,7 @@ ci-pyflakes: @echo "#################################################" . $(NAME)env/bin/activate && pyflakes src/ooinstall/*.py . $(NAME)env/bin/activate && pyflakes ../callback_plugins/openshift_quick_installer.py - . $(NAME)env/bin/activate && pyflakes ../library/openshift_cert_expiry.py + . $(NAME)env/bin/activate && pyflakes ../roles/openshift_certificate_expiry/library/openshift_cert_expiry.py ci-pep8: @echo "#############################################" @@ -106,7 +106,7 @@ ci-pep8: . $(NAME)env/bin/activate && pep8 --ignore=$(PEPEXCLUDES) ../callback_plugins/openshift_quick_installer.py # This one excludes E402 because it is an ansible module and the # boilerplate import statement is expected to be at the bottom - . $(NAME)env/bin/activate && pep8 --ignore=$(PEPEXCLUDES),E402 ../library/openshift_cert_expiry.py + . $(NAME)env/bin/activate && pep8 --ignore=$(PEPEXCLUDES),E402 ../roles/openshift_certificate_expiry/library/openshift_cert_expiry.py ci: clean virtualenv ci-list-deps ci-pep8 ci-pylint ci-pyflakes ci-unittests : |