summaryrefslogtreecommitdiffstats
path: root/playbooks/certificate_expiry
diff options
context:
space:
mode:
authorPep TurrĂ³ Mauri <pep@redhat.com>2017-03-23 17:31:20 +0100
committerPep TurrĂ³ Mauri <pep@redhat.com>2017-04-06 17:58:06 +0200
commit9dbc6d42ec99f902a9cef786009cee4953bbbde4 (patch)
tree19c4730022b529b4476786c6e75df322c7ef96f9 /playbooks/certificate_expiry
parent0bac74c346bb5c620bdf1941b40c29ff3083e2b0 (diff)
downloadopenshift-9dbc6d42ec99f902a9cef786009cee4953bbbde4.tar.gz
openshift-9dbc6d42ec99f902a9cef786009cee4953bbbde4.tar.bz2
openshift-9dbc6d42ec99f902a9cef786009cee4953bbbde4.tar.xz
openshift-9dbc6d42ec99f902a9cef786009cee4953bbbde4.zip
Add example scheduled certificate check
Additional certificate expiration check playbooks: - one that that uploads the generated reports to a location in the masters - one that uses custom report paths with timestamps OpenShift Job and ScheduledJob examples that use these playbooks run from a container to check cluster certificates from within the cluster itself.
Diffstat (limited to 'playbooks/certificate_expiry')
-rw-r--r--playbooks/certificate_expiry/easy-mode-upload.yaml40
-rw-r--r--playbooks/certificate_expiry/html_and_json_timestamp.yaml16
2 files changed, 56 insertions, 0 deletions
diff --git a/playbooks/certificate_expiry/easy-mode-upload.yaml b/playbooks/certificate_expiry/easy-mode-upload.yaml
new file mode 100644
index 000000000..378d1f154
--- /dev/null
+++ b/playbooks/certificate_expiry/easy-mode-upload.yaml
@@ -0,0 +1,40 @@
+# This example generates HTML and JSON reports and
+#
+# Copies of the generated HTML and JSON reports are uploaded to the masters,
+# which is particularly useful when this playbook is run from a container.
+#
+# All certificates (healthy or not) are included in the results
+#
+# Optional environment variables to alter the behaviour of the playbook:
+# CERT_EXPIRY_WARN_DAYS: Length of the warning window in days (45)
+# COPY_TO_PATH: path to copy reports to in the masters (/etc/origin/certificate_expiration_report)
+---
+- name: Generate certificate expiration reports
+ hosts: nodes:masters:etcd
+ gather_facts: no
+ vars:
+ openshift_certificate_expiry_save_json_results: yes
+ openshift_certificate_expiry_generate_html_report: yes
+ openshift_certificate_expiry_show_all: yes
+ openshift_certificate_expiry_warning_days: "{{ lookup('env', 'CERT_EXPIRY_WARN_DAYS') | default('45', true) }}"
+ roles:
+ - role: openshift_certificate_expiry
+
+- name: Upload reports to master
+ hosts: masters
+ gather_facts: no
+ vars:
+ destination_path: "{{ lookup('env', 'COPY_TO_PATH') | default('/etc/origin/certificate_expiration_report', true) }}"
+ timestamp: "{{ lookup('pipe', 'date +%Y%m%d') }}"
+ tasks:
+ - name: Ensure that the target directory exists
+ file:
+ path: "{{ destination_path }}"
+ state: directory
+ - name: Copy the reports
+ copy:
+ dest: "{{ destination_path }}/{{ timestamp }}-{{ item }}"
+ src: "/tmp/{{ item }}"
+ with_items:
+ - "cert-expiry-report.html"
+ - "cert-expiry-report.json"
diff --git a/playbooks/certificate_expiry/html_and_json_timestamp.yaml b/playbooks/certificate_expiry/html_and_json_timestamp.yaml
new file mode 100644
index 000000000..2189455b7
--- /dev/null
+++ b/playbooks/certificate_expiry/html_and_json_timestamp.yaml
@@ -0,0 +1,16 @@
+---
+# Generate timestamped HTML and JSON reports in /var/lib/certcheck
+
+- name: Check cert expirys
+ hosts: nodes:masters:etcd
+ become: yes
+ gather_facts: no
+ vars:
+ openshift_certificate_expiry_generate_html_report: yes
+ openshift_certificate_expiry_save_json_results: yes
+ openshift_certificate_expiry_show_all: yes
+ timestamp: "{{ lookup('pipe', 'date +%Y%m%d') }}"
+ openshift_certificate_expiry_html_report_path: "/var/lib/certcheck/{{ timestamp }}-cert-expiry-report.html"
+ openshift_certificate_expiry_json_results_path: "/var/lib/certcheck/{{ timestamp }}-cert-expiry-report.json"
+ roles:
+ - role: openshift_certificate_expiry