summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/byo/openshift-cluster/check-cert-expiry.yaml35
-rw-r--r--playbooks/common/openshift-cluster/check-cert-expiry.yaml44
-rw-r--r--roles/openshift_certificate_expiry/README.md63
-rw-r--r--roles/openshift_certificate_expiry/defaults/main.yml6
-rw-r--r--roles/openshift_certificate_expiry/library/openshift_cert_expiry.py (renamed from library/openshift_cert_expiry.py)0
-rw-r--r--roles/openshift_certificate_expiry/meta/main.yml15
-rw-r--r--roles/openshift_certificate_expiry/tasks/main.yml23
-rw-r--r--roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 (renamed from playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2)0
-rw-r--r--roles/openshift_certificate_expiry/templates/save_json_results.j25
9 files changed, 112 insertions, 79 deletions
diff --git a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml b/playbooks/byo/openshift-cluster/check-cert-expiry.yaml
deleted file mode 100644
index 39efdbd36..000000000
--- a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-# check-cert-expiry.yaml - A utility for cluster ops to scan through
-# (critical) certificates for the ongoing operations of a cluster.
-
-# We do not support all Ansible versions. This is our safety net.
-- include: ../../common/openshift-cluster/verify_ansible_version.yml
-
-- name: Generate the l_oo_all_hosts group
- hosts: localhost
- connection: local
- become: no
- gather_facts: no
- tasks:
- - include_vars: cluster_hosts.yml
- - add_host:
- name: "{{ item }}"
- groups: l_oo_all_hosts
- with_items: "{{ g_all_hosts | default([]) }}"
-
-# This may seem redundant, running `include_vars` again on the list of
-# hosts in the group 'l_oo_all_hosts' which we just created. But the
-# fact of the matter is that if we don't re-run include_vars on the
-# new host group we created, then they will not have access to those
-# same group variables they were birthed from.
-#
-# Go ahead and try to 'debug: var=g_all_hosts' later on (without this
-# play) and you'll find that the result is UNDEFINED VARIABLE.
-- name: Inject cluster hosts variables into l_oo_all_hosts
- hosts: l_oo_all_hosts
- gather_facts: no
- tasks:
- - include_vars: cluster_hosts.yml
-
-# This is where the actual business gets started:
-- include: ../../common/openshift-cluster/check-cert-expiry.yaml
diff --git a/playbooks/common/openshift-cluster/check-cert-expiry.yaml b/playbooks/common/openshift-cluster/check-cert-expiry.yaml
deleted file mode 100644
index b585fd849..000000000
--- a/playbooks/common/openshift-cluster/check-cert-expiry.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-# ---
-# # This must be evaluated after cluster_hosts.yml has been evaluated on
-# # 'localhost' to generate l_oo_all_hosts and then subsequently
-# # evaluated again on the generated hosts group (l_oo_all_hosts).
-# - include: evaluate_groups.yml
-# tags:
-# - always
-
-# # Initialize cluster facts for oo_all_hosts using the openshift_facts
-# # role followed by the 'common' role
-# - include: initialize_facts.yml
-# tags:
-# - always
-
-# # Get the version to install from the first master, then synchronize
-# # that variable across all in oo_all_hosts
-# - include: initialize_openshift_version.yml
-# tags:
-# - always
-
-# # Earlier 'initialize_facts' included the openshift_facts role and
-# # used the openshift_facts module with the 'role' parameter set to
-# # 'common'. Now we're applying the openshift_facts role AGAIN but just
-# # to the subset of oo_all_hosts which require configuring.
-# - name: Load openshift_facts
-# hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config
-# roles:
-# - openshift_facts
-
-- hosts: all
- become: yes
- gather_facts: no
- tasks:
- - name: Check cert expirys on host
- openshift_cert_expiry:
- warning_days: 1500
- register: check_results
- - name: Generate html
- become: no
- run_once: yes
- template:
- src: templates/cert-expiry-table.html.j2
- dest: /tmp/cert-table.html
- delegate_to: localhost
diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md
new file mode 100644
index 000000000..75970c7a0
--- /dev/null
+++ b/roles/openshift_certificate_expiry/README.md
@@ -0,0 +1,63 @@
+OpenShift Certificate Expiration Checker
+========================================
+
+OpenShift certificate expiration checking. Be warned of certificates
+expiring within a configurable window of days, and notified of
+certificates which have already expired. Certificates examined
+include:
+
+* Master/Node Service Certificates
+* Router/Registry Service Certificates from etcd secrets
+* Master/Node/Router/Registry/Admin `kubeconfig`s
+* Etcd certificates
+
+
+
+Requirements
+------------
+
+* None
+
+
+Role Variables
+--------------
+
+From this role:
+
+| Name | Default value | Description |
+|--------------------------|---------------|-------------------------------------------------------------------------------------|
+| `config_base` | `/etc/origin` | Base openshift config directory |
+| `warning_days` | `30` | Flag certificates which will expire in this many days from now |
+| `show_all` | `False` | Include healthy (non-expired and non-warning) certificates in results |
+| `generate_report` | `False` | Generate an HTML report of the expiry check results |
+| `save_json_results` | `False` | Save expiry check results as a json file |
+| `result_dir` | `/tmp` | Directory in which to put check results and generated reports |
+
+
+Dependencies
+------------
+
+* None
+
+Example Playbook
+----------------
+
+```
+- name: Check cert expirys
+ hosts: all
+ become: yes
+ gather_facts: no
+ roles:
+ - role: openshift_certificate_expiry
+```
+
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Tim Bielawa (tbielawa@redhat.com)
diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml
new file mode 100644
index 000000000..5c077f450
--- /dev/null
+++ b/roles/openshift_certificate_expiry/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+config_base: "/etc/origin"
+warning_days: 30
+show_all: false
+generate_report: false
+result_dir: "/tmp"
diff --git a/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
index f18ab75d0..f18ab75d0 100644
--- a/library/openshift_cert_expiry.py
+++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml
new file mode 100644
index 000000000..dd66299ea
--- /dev/null
+++ b/roles/openshift_certificate_expiry/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+ author: Tim Bielawa
+ description: OpenShift Certificate Expiry Checker
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.1
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies: []
diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml
new file mode 100644
index 000000000..def7d1284
--- /dev/null
+++ b/roles/openshift_certificate_expiry/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Check cert expirys on host
+ openshift_cert_expiry:
+ warning_days: 1500
+ register: check_results
+
+- name: Generate html
+ become: no
+ run_once: yes
+ template:
+ src: cert-expiry-table.html.j2
+ dest: /tmp/cert-table.html
+ delegate_to: localhost
+ when: generate_report
+
+- name: Generate JSON
+ become: no
+ run_once: yes
+ template:
+ src: save_json_results.j2
+ dest: /tmp/cert-expiry-results.json
+ delegate_to: localhost
+ when: save_json_results
diff --git a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
index f74d7f1ce..f74d7f1ce 100644
--- a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2
+++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2
diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2
new file mode 100644
index 000000000..89602ac2b
--- /dev/null
+++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2
@@ -0,0 +1,5 @@
+{
+{% for host in play_hosts %}
+"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %}
+{% endfor %}
+}