diff options
| -rw-r--r-- | playbooks/byo/openshift-cluster/check-cert-expiry.yaml | 35 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/check-cert-expiry.yaml | 44 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/README.md | 63 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/defaults/main.yml | 6 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/library/openshift_cert_expiry.py (renamed from library/openshift_cert_expiry.py) | 0 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/meta/main.yml | 15 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/tasks/main.yml | 23 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 (renamed from playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2) | 0 | ||||
| -rw-r--r-- | roles/openshift_certificate_expiry/templates/save_json_results.j2 | 5 |
9 files changed, 112 insertions, 79 deletions
diff --git a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml b/playbooks/byo/openshift-cluster/check-cert-expiry.yaml deleted file mode 100644 index 39efdbd36..000000000 --- a/playbooks/byo/openshift-cluster/check-cert-expiry.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# check-cert-expiry.yaml - A utility for cluster ops to scan through -# (critical) certificates for the ongoing operations of a cluster. - -# We do not support all Ansible versions. This is our safety net. -- include: ../../common/openshift-cluster/verify_ansible_version.yml - -- name: Generate the l_oo_all_hosts group - hosts: localhost - connection: local - become: no - gather_facts: no - tasks: - - include_vars: cluster_hosts.yml - - add_host: - name: "{{ item }}" - groups: l_oo_all_hosts - with_items: "{{ g_all_hosts | default([]) }}" - -# This may seem redundant, running `include_vars` again on the list of -# hosts in the group 'l_oo_all_hosts' which we just created. But the -# fact of the matter is that if we don't re-run include_vars on the -# new host group we created, then they will not have access to those -# same group variables they were birthed from. -# -# Go ahead and try to 'debug: var=g_all_hosts' later on (without this -# play) and you'll find that the result is UNDEFINED VARIABLE. -- name: Inject cluster hosts variables into l_oo_all_hosts - hosts: l_oo_all_hosts - gather_facts: no - tasks: - - include_vars: cluster_hosts.yml - -# This is where the actual business gets started: -- include: ../../common/openshift-cluster/check-cert-expiry.yaml diff --git a/playbooks/common/openshift-cluster/check-cert-expiry.yaml b/playbooks/common/openshift-cluster/check-cert-expiry.yaml deleted file mode 100644 index b585fd849..000000000 --- a/playbooks/common/openshift-cluster/check-cert-expiry.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# --- -# # This must be evaluated after cluster_hosts.yml has been evaluated on -# # 'localhost' to generate l_oo_all_hosts and then subsequently -# # evaluated again on the generated hosts group (l_oo_all_hosts). -# - include: evaluate_groups.yml -# tags: -# - always - -# # Initialize cluster facts for oo_all_hosts using the openshift_facts -# # role followed by the 'common' role -# - include: initialize_facts.yml -# tags: -# - always - -# # Get the version to install from the first master, then synchronize -# # that variable across all in oo_all_hosts -# - include: initialize_openshift_version.yml -# tags: -# - always - -# # Earlier 'initialize_facts' included the openshift_facts role and -# # used the openshift_facts module with the 'role' parameter set to -# # 'common'. Now we're applying the openshift_facts role AGAIN but just -# # to the subset of oo_all_hosts which require configuring. -# - name: Load openshift_facts -# hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config -# roles: -# - openshift_facts - -- hosts: all - become: yes - gather_facts: no - tasks: - - name: Check cert expirys on host - openshift_cert_expiry: - warning_days: 1500 - register: check_results - - name: Generate html - become: no - run_once: yes - template: - src: templates/cert-expiry-table.html.j2 - dest: /tmp/cert-table.html - delegate_to: localhost diff --git a/roles/openshift_certificate_expiry/README.md b/roles/openshift_certificate_expiry/README.md new file mode 100644 index 000000000..75970c7a0 --- /dev/null +++ b/roles/openshift_certificate_expiry/README.md @@ -0,0 +1,63 @@ +OpenShift Certificate Expiration Checker +======================================== + +OpenShift certificate expiration checking. Be warned of certificates +expiring within a configurable window of days, and notified of +certificates which have already expired. Certificates examined +include: + +* Master/Node Service Certificates +* Router/Registry Service Certificates from etcd secrets +* Master/Node/Router/Registry/Admin `kubeconfig`s +* Etcd certificates + + + +Requirements +------------ + +* None + + +Role Variables +-------------- + +From this role: + +| Name | Default value | Description | +|--------------------------|---------------|-------------------------------------------------------------------------------------| +| `config_base` | `/etc/origin` | Base openshift config directory | +| `warning_days` | `30` | Flag certificates which will expire in this many days from now | +| `show_all` | `False` | Include healthy (non-expired and non-warning) certificates in results | +| `generate_report` | `False` | Generate an HTML report of the expiry check results | +| `save_json_results` | `False` | Save expiry check results as a json file | +| `result_dir` | `/tmp` | Directory in which to put check results and generated reports | + + +Dependencies +------------ + +* None + +Example Playbook +---------------- + +``` +- name: Check cert expirys + hosts: all + become: yes + gather_facts: no + roles: + - role: openshift_certificate_expiry +``` + + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Tim Bielawa (tbielawa@redhat.com) diff --git a/roles/openshift_certificate_expiry/defaults/main.yml b/roles/openshift_certificate_expiry/defaults/main.yml new file mode 100644 index 000000000..5c077f450 --- /dev/null +++ b/roles/openshift_certificate_expiry/defaults/main.yml @@ -0,0 +1,6 @@ +--- +config_base: "/etc/origin" +warning_days: 30 +show_all: false +generate_report: false +result_dir: "/tmp" diff --git a/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index f18ab75d0..f18ab75d0 100644 --- a/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py diff --git a/roles/openshift_certificate_expiry/meta/main.yml b/roles/openshift_certificate_expiry/meta/main.yml new file mode 100644 index 000000000..dd66299ea --- /dev/null +++ b/roles/openshift_certificate_expiry/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Tim Bielawa + description: OpenShift Certificate Expiry Checker + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: [] diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml new file mode 100644 index 000000000..def7d1284 --- /dev/null +++ b/roles/openshift_certificate_expiry/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Check cert expirys on host + openshift_cert_expiry: + warning_days: 1500 + register: check_results + +- name: Generate html + become: no + run_once: yes + template: + src: cert-expiry-table.html.j2 + dest: /tmp/cert-table.html + delegate_to: localhost + when: generate_report + +- name: Generate JSON + become: no + run_once: yes + template: + src: save_json_results.j2 + dest: /tmp/cert-expiry-results.json + delegate_to: localhost + when: save_json_results diff --git a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 index f74d7f1ce..f74d7f1ce 100644 --- a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 +++ b/roles/openshift_certificate_expiry/templates/cert-expiry-table.html.j2 diff --git a/roles/openshift_certificate_expiry/templates/save_json_results.j2 b/roles/openshift_certificate_expiry/templates/save_json_results.j2 new file mode 100644 index 000000000..89602ac2b --- /dev/null +++ b/roles/openshift_certificate_expiry/templates/save_json_results.j2 @@ -0,0 +1,5 @@ +{ +{% for host in play_hosts %} +"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %} +{% endfor %} +} |