Fix playbooks, update readme, update default vars

Fix 'make ci' system

Add examples

roles/openshift_certificate_expiry/README.md

@@ -22,16 +22,22 @@ Requirements
 Role Variables
 --------------
 
-From this role:
+Core variables in this role:
 
-| Name                     | Default value | Description                                                                         |
-|--------------------------|---------------|-------------------------------------------------------------------------------------|
-| `config_base`            | `/etc/origin` | Base openshift config directory                                                     |
-| `warning_days`           | `30`          | Flag certificates which will expire in this many days from now                      |
-| `show_all`               | `False`       | Include healthy (non-expired and non-warning) certificates in results               |
-| `generate_report`        | `False`       | Generate an HTML report of the expiry check results                                 |
-| `save_json_results`      | `False`       | Save expiry check results as a json file                                            |
-| `result_dir`             | `/tmp`        | Directory in which to put check results and generated reports                       |
+| Name                     | Default value                  | Description                                                           |
+|--------------------------|--------------------------------|-----------------------------------------------------------------------|
+| `config_base`            | `/etc/origin`                  | Base openshift config directory                                       |
+| `warning_days`           | `30`                           | Flag certificates which will expire in this many days from now        |
+| `show_all`               | `no`                           | Include healthy (non-expired and non-warning) certificates in results |
+
+Optional report/result saving variables in this role:
+
+| Name                     | Default value                  | Description                                                           |
+|--------------------------|--------------------------------|-----------------------------------------------------------------------|
+| `generate_html_report`   | `no`                           | Generate an HTML report of the expiry check results                   |
+| `html_report_path`       | `/tmp/cert-expiry-report.html` | The full path to save the HTML report as                              |
+| `save_json_results`      | `no`                           | Save expiry check results as a json file                              |
+| `json_results_path`      | `/tmp/cert-expiry-report.json` | The full path to save the json report as                              |
 
 
 Dependencies
@@ -42,16 +48,128 @@ Dependencies
 Example Playbook
 ----------------
 
+Default behavior:
+
+```yaml
+---
+- name: Check cert expirys
+  hosts: all
+  become: yes
+  gather_facts: no
+  roles:
+    - role: openshift_certificate_expiry
+```
+
+Generate HTML and JSON artifacts in their default paths:
+
+```yaml
+---
+- name: Check cert expirys
+  hosts: all
+  become: yes
+  gather_facts: no
+  vars:
+    generate_html_report: yes
+    save_json_results: yes
+  roles:
+    - role: openshift_certificate_expiry
 ```
+
+Change the expiration warning window to 1500 days (good for testing
+the module out)
+
+```yaml
+---
 - name: Check cert expirys
   hosts: all
   become: yes
   gather_facts: no
+  vars:
+    warning_days: 1500
   roles:
-  - role: openshift_certificate_expiry
+    - role: openshift_certificate_expiry
 ```
 
 
+Example JSON Output
+-------------------
+
+Example is abbreviated to save space:
+
+```json
+{
+    "192.168.124.148": {
+        "etcd": [
+            {
+                "cert_cn": "CN:etcd-signer@1474563722",
+                "days_remaining": 350,
+                "expiry": "2017-09-22 17:02:25",
+                "health": "warning",
+                "path": "/etc/etcd/ca.crt"
+            },
+        ],
+        "kubeconfigs": [
+            {
+                "cert_cn": "O:system:nodes, CN:system:node:m01.example.com",
+                "days_remaining": 715,
+                "expiry": "2018-09-22 17:08:57",
+                "health": "warning",
+                "path": "/etc/origin/node/system:node:m01.example.com.kubeconfig"
+            },
+            {
+                "cert_cn": "O:system:cluster-admins, CN:system:admin",
+                "days_remaining": 715,
+                "expiry": "2018-09-22 17:04:40",
+                "health": "warning",
+                "path": "/etc/origin/master/admin.kubeconfig"
+            }
+        ],
+        "meta": {
+            "checked_at_time": "2016-10-07 15:26:47.608192",
+            "show_all": "True",
+            "warn_after_date": "2020-11-15 15:26:47.608192",
+            "warning_days": 1500
+        },
+        "ocp_certs": [
+            {
+                "cert_cn": "CN:172.30.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:m01.example.com, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, DNS:192.168.124.148, IP Address:172.30.0.1, IP Address:192.168.124.148",
+                "days_remaining": 715,
+                "expiry": "2018-09-22 17:04:39",
+                "health": "warning",
+                "path": "/etc/origin/master/master.server.crt"
+            },
+            {
+                "cert_cn": "CN:openshift-signer@1474563878",
+                "days_remaining": 1810,
+                "expiry": "2021-09-21 17:04:38",
+                "health": "ok",
+                "path": "/etc/origin/node/ca.crt"
+            }
+        ],
+        "registry": [
+            {
+                "cert_cn": "CN:172.30.101.81, DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.101.81, IP Address:172.30.101.81",
+                "days_remaining": 728,
+                "expiry": "2018-10-05 18:54:29",
+                "health": "warning",
+                "path": "/api/v1/namespaces/default/secrets/registry-certificates"
+            }
+        ],
+        "router": [
+            {
+                "cert_cn": "CN:router.default.svc, DNS:router.default.svc, DNS:router.default.svc.cluster.local",
+                "days_remaining": 715,
+                "expiry": "2018-09-22 17:48:23",
+                "health": "warning",
+                "path": "/api/v1/namespaces/default/secrets/router-certs"
+            }
+        ]
+    }
+}
+```
+
+
+
 License
 -------
 

roles/openshift_certificate_expiry/defaults/main.yml

@@ -1,6 +1,8 @@
 ---
 config_base: "/etc/origin"
 warning_days: 30
-show_all: false
-generate_report: false
-result_dir: "/tmp"
+show_all: no
+generate_html_report: no
+html_report_path: "/tmp/cert-expiry-report.html"
+save_json_results: no
+json_results_path: "/tmp/cert-expiry-report.json"

roles/openshift_certificate_expiry/library/openshift_cert_expiry.py

@@ -281,11 +281,11 @@ an OpenShift Container Platform cluster
                 type='str'),
             warning_days=dict(
                 required=False,
-                default=int(30),
+                default=30,
                 type='int'),
             show_all=dict(
                 required=False,
-                default="False",
+                default=False,
                 type='bool')
         ),
         supports_check_mode=True,
@@ -549,8 +549,6 @@ an OpenShift Container Platform cluster
 
         classify_cert(expire_check_result, now, time_remaining, expire_window, router_certs)
 
-    check_results['router'] = router_certs
-
     ######################################################################
     # Now for registry
     # registry_secrets = subprocess.call('oc get secret registry-certificates -o yaml'.split())
@@ -579,8 +577,6 @@ an OpenShift Container Platform cluster
 
         classify_cert(expire_check_result, now, time_remaining, expire_window, registry_certs)
 
-    check_results['registry'] = registry_certs
-
     ######################################################################
     # /Check router/registry certs
     ######################################################################
@@ -602,10 +598,15 @@ an OpenShift Container Platform cluster
         check_results['ocp_certs'] = [crt for crt in ocp_certs if crt['health'] in ['expired', 'warning']]
         check_results['kubeconfigs'] = [crt for crt in kubeconfigs if crt['health'] in ['expired', 'warning']]
         check_results['etcd'] = [crt for crt in etcd_certs if crt['health'] in ['expired', 'warning']]
+        check_results['registry'] = [crt for crt in registry_certs if crt['health'] in ['expired', 'warning']]
+        check_results['router'] = [crt for crt in router_certs if crt['health'] in ['expired', 'warning']]
     else:
         check_results['ocp_certs'] = ocp_certs
         check_results['kubeconfigs'] = kubeconfigs
         check_results['etcd'] = etcd_certs
+        check_results['registry'] = registry_certs
+        check_results['router'] = router_certs
+
 
     # Sort the final results to report in order of ascending safety
     # time. That is to say, the certificates which will expire sooner

roles/openshift_certificate_expiry/tasks/main.yml

@@ -1,23 +1,25 @@
 ---
 - name: Check cert expirys on host
   openshift_cert_expiry:
-    warning_days: 1500
+    warning_days: "{{ warning_days|int }}"
+    config_base: "{{ config_base }}"
+    show_all: "{{ show_all|bool }}"
   register: check_results
 
-- name: Generate html
+- name: Generate expiration report HTML
   become: no
   run_once: yes
   template:
     src: cert-expiry-table.html.j2
-    dest: /tmp/cert-table.html
+    dest: "{{ html_report_path }}"
   delegate_to: localhost
-  when: generate_report
+  when: "{{ generate_html_report|bool }}"
 
-- name: Generate JSON
+- name: Generate expiration results JSON
   become: no
   run_once: yes
   template:
     src: save_json_results.j2
-    dest: /tmp/cert-expiry-results.json
+    dest: "{{ json_results_path }}"
   delegate_to: localhost
-  when: save_json_results
+  when: "{{ save_json_results|bool }}"

roles/openshift_certificate_expiry/templates/save_json_results.j2

@@ -1,5 +1,6 @@
 {
 {% for host in play_hosts %}
-"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %}
+  "{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=4) }}{% if not loop.last %},
+{% endif %}
 {% endfor %}
 }

utils/Makefile

@@ -82,7 +82,7 @@ ci-pylint:
 	@echo "#############################################"
 	@echo "# Running PyLint Tests in virtualenv"
 	@echo "#############################################"
-	. $(NAME)env/bin/activate && python -m pylint --rcfile ../git/.pylintrc src/ooinstall/cli_installer.py src/ooinstall/oo_config.py src/ooinstall/openshift_ansible.py src/ooinstall/variants.py ../callback_plugins/openshift_quick_installer.py ../library/openshift_cert_expiry.py
+	. $(NAME)env/bin/activate && python -m pylint --rcfile ../git/.pylintrc src/ooinstall/cli_installer.py src/ooinstall/oo_config.py src/ooinstall/openshift_ansible.py src/ooinstall/variants.py ../callback_plugins/openshift_quick_installer.py ../roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
 
 ci-list-deps:
 	@echo "#############################################"
@@ -96,7 +96,7 @@ ci-pyflakes:
 	@echo "#################################################"
 	. $(NAME)env/bin/activate && pyflakes src/ooinstall/*.py
 	. $(NAME)env/bin/activate && pyflakes ../callback_plugins/openshift_quick_installer.py
-	. $(NAME)env/bin/activate && pyflakes ../library/openshift_cert_expiry.py
+	. $(NAME)env/bin/activate && pyflakes ../roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
 
 ci-pep8:
 	@echo "#############################################"
@@ -106,7 +106,7 @@ ci-pep8:
 	. $(NAME)env/bin/activate && pep8 --ignore=$(PEPEXCLUDES) ../callback_plugins/openshift_quick_installer.py
 # This one excludes E402 because it is an ansible module and the
 # boilerplate import statement is expected to be at the bottom
-	. $(NAME)env/bin/activate && pep8 --ignore=$(PEPEXCLUDES),E402 ../library/openshift_cert_expiry.py
+	. $(NAME)env/bin/activate && pep8 --ignore=$(PEPEXCLUDES),E402 ../roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
 
 ci: clean virtualenv ci-list-deps ci-pep8 ci-pylint ci-pyflakes ci-unittests
 	: