Merge pull request #7698 from openshift-cherrypick-robot/cherry-pick-7666-to-master

[master] [3.9] Update example cert checks

examples/README.md

@@ -18,13 +18,15 @@ You can find more details about the certificate expiration check roles and examp
 
 The example `Job` in [certificate-check-upload.yaml](certificate-check-upload.yaml) executes a [Job](https://docs.openshift.org/latest/dev_guide/jobs.html) that checks the expiration dates of the internal certificates of the cluster and uploads HTML and JSON reports to `/etc/origin/certificate_expiration_report` in the masters.
 
-This example uses the [`easy-mode-upload.yaml`](../playbooks/certificate_expiry/easy-mode-upload.yaml) example playbook, which generates reports and uploads them to the masters. The playbook can be customized via environment variables to control the length of the warning period (`CERT_EXPIRY_WARN_DAYS`) and the location in the masters where the reports are uploaded (`COPY_TO_PATH`).
+This example uses the [`easy-mode-upload.yaml`](../playbooks/openshift-checks/certificate_expiry/easy-mode-upload.yaml) example playbook, which generates reports and uploads them to the masters. The playbook can be customized via environment variables to control the length of the warning period (`CERT_EXPIRY_WARN_DAYS`) and the location in the masters where the reports are uploaded (`COPY_TO_PATH`).
 
 The job expects the inventory to be provided via the *hosts* key of a [ConfigMap](https://docs.openshift.org/latest/dev_guide/configmaps.html) named *inventory*, and the passwordless ssh key that allows connecting to the hosts to be availalbe as *ssh-privatekey* from a [Secret](https://docs.openshift.org/latest/dev_guide/secrets.html) named *sshkey*, so these are created first:
 
     oc new-project certcheck
     oc create configmap inventory --from-file=hosts=/etc/ansible/hosts
-    oc secrets new-sshauth sshkey --ssh-privatekey=$HOME/.ssh/id_rsa
+    oc create secret generic sshkey \
+      --from-file=ssh-privatekey=$HOME/.ssh/id_rsa \
+      --type=kubernetes.io/ssh-auth
 
 Note that `inventory`, `hosts`, `sshkey` and `ssh-privatekey` are referenced by name from the provided example Job definition. If you use different names for the objects/attributes you will have to adjust the Job accordingly.
 
@@ -34,30 +36,30 @@ To create the Job:
 
 ### Scheduled job for certificate expiration report upload
 
-**Note**: This example uses the [ScheduledJob](https://docs.openshift.com/container-platform/3.4/dev_guide/scheduled_jobs.html) object, which has been renamed to [CronJob](https://docs.openshift.org/latest/dev_guide/cron_jobs.html) upstream and is still a Technology Preview subject to further change.
-
-The example `ScheduledJob` in [scheduled-certcheck-upload.yaml](scheduled-certcheck-upload.yaml) does the same as the `Job` example above, but it is scheduled to automatically run every first day of the month (see the `spec.schedule` value in the example).
+The example `CronJob` in [scheduled-certcheck-upload.yaml](scheduled-certcheck-upload.yaml) does the same as the `Job` example above, but it is scheduled to automatically run every first day of the month (see the `spec.schedule` value in the example).
 
 The job definition is the same and it expects the same configuration: we provide the inventory and ssh key via a ConfigMap and a Secret respectively:
 
     oc new-project certcheck
     oc create configmap inventory --from-file=hosts=/etc/ansible/hosts
-    oc secrets new-sshauth sshkey --ssh-privatekey=$HOME/.ssh/id_rsa
+    oc create secret generic sshkey \
+      --from-file=ssh-privatekey=$HOME/.ssh/id_rsa \
+      --type=kubernetes.io/ssh-auth
 
-And then we create the ScheduledJob:
+And then we create the CronJob:
 
     oc create -f examples/scheduled-certcheck-upload.yaml
 
-### Job and ScheduledJob to check certificates using volumes
+### Job and CronJob to check certificates using volumes
 
 There are two additional examples:
 
  - A `Job` [certificate-check-volume.yaml](certificate-check-volume.yaml)
- - A `ScheduledJob` [scheduled-certcheck-upload.yaml](scheduled-certcheck-upload.yaml)
+ - A `CronJob` [scheduled-certcheck-upload.yaml](scheduled-certcheck-upload.yaml)
 
 These perform the same work as the two examples above, but instead of uploading the generated reports to the masters they store them in a custom path within the container that is expected to be backed by a [PersistentVolumeClaim](https://docs.openshift.org/latest/dev_guide/persistent_volumes.html), so that the reports are actually written to storage external to the container.
 
-These examples assume that there is an existing `PersistentVolumeClaim` called `certcheck-reports` and they use the  [`html_and_json_timestamp.yaml`](../playbooks/certificate_expiry/html_and_json_timestamp.yaml) example playbook to write timestamped reports into it.
+These examples assume that there is an existing `PersistentVolumeClaim` called `certcheck-reports` and they use the  [`html_and_json_timestamp.yaml`](../playbooks/openshift-checks/certificate_expiry/html_and_json_timestamp.yaml) example playbook to write timestamped reports into it.
 
 You can later access the reports from another pod that mounts the same volume, or externally via direct access to the backend storage behind the matching `PersistentVolume`.
 
@@ -65,7 +67,9 @@ To run these examples we prepare the inventory and ssh keys as in the other exam
 
     oc new-project certcheck
     oc create configmap inventory --from-file=hosts=/etc/ansible/hosts
-    oc secrets new-sshauth sshkey --ssh-privatekey=$HOME/.ssh/id_rsa
+    oc create secret generic sshkey \
+      --from-file=ssh-privatekey=$HOME/.ssh/id_rsa \
+      --type=kubernetes.io/ssh-auth
 
 Additionally we allocate a `PersistentVolumeClaim` to store the reports:
 
@@ -87,7 +91,6 @@ With that we can run the `Job` once:
 
     oc create -f examples/certificate-check-volume.yaml
 
-or schedule it to run periodically as a `ScheduledJob`:
+or schedule it to run periodically as a `CronJob`:
 
     oc create -f examples/scheduled-certcheck-volume.yaml
-

examples/certificate-check-upload.yaml

@@ -31,7 +31,7 @@ spec:
         image: openshift/origin-ansible
         env:
         - name: PLAYBOOK_FILE
-          value: playbooks/certificate_expiry/easy-mode-upload.yaml
+          value: playbooks/openshift-checks/certificate_expiry/easy-mode-upload.yaml
         - name: INVENTORY_FILE
           value: /tmp/inventory/hosts       # from configmap vol below
         - name: ANSIBLE_PRIVATE_KEY_FILE    # from secret vol below

examples/certificate-check-volume.yaml

@@ -33,7 +33,7 @@ spec:
         image: openshift/origin-ansible
         env:
         - name: PLAYBOOK_FILE
-          value: playbooks/certificate_expiry/html_and_json_timestamp.yaml
+          value: playbooks/openshift-checks/certificate_expiry/html_and_json_timestamp.yaml
         - name: INVENTORY_FILE
           value: /tmp/inventory/hosts       # from configmap vol below
         - name: ANSIBLE_PRIVATE_KEY_FILE    # from secret vol below

examples/scheduled-certcheck-upload.yaml

@@ -1,4 +1,4 @@
-# An example ScheduledJob to run a regular check of OpenShift's internal
+# An example CronJob to run a regular check of OpenShift's internal
 # certificate status.
 #
 # Each job will upload new reports to a directory in the master hosts
@@ -6,13 +6,10 @@
 # The Job specification is the same as 'certificate-check-upload.yaml'
 # and the expected pre-configuration is equivalent.
 # See that Job example and examples/README.md for more details.
-#
-# NOTE: ScheduledJob has been renamed to CronJob in upstream k8s recently. At
-# some point (OpenShift 3.6+) this will have to be renamed to "kind: CronJob"
-# and once the API stabilizes the apiVersion will have to be updated too.
+
 ---
-apiVersion: batch/v2alpha1
-kind: ScheduledJob
+apiVersion: batch/v1beta1
+kind: CronJob
 metadata:
   name: certificate-check
   labels:
@@ -31,7 +28,7 @@ spec:
             image: openshift/origin-ansible
             env:
             - name: PLAYBOOK_FILE
-              value: playbooks/certificate_expiry/easy-mode-upload.yaml
+              value: playbooks/openshift-checks/certificate_expiry/easy-mode-upload.yaml
             - name: INVENTORY_FILE
               value: /tmp/inventory/hosts       # from configmap vol below
             - name: ANSIBLE_PRIVATE_KEY_FILE    # from secret vol below

examples/scheduled-certcheck-volume.yaml

@@ -1,4 +1,4 @@
-# An example ScheduledJob to run a regular check of OpenShift's internal
+# An example CronJob to run a regular check of OpenShift's internal
 # certificate status.
 #
 # Each job will add a new pair of reports to the configured Persistent Volume
@@ -6,13 +6,10 @@
 # The Job specification is the same as 'certificate-check-volume.yaml'
 # and the expected pre-configuration is equivalent.
 # See that Job example and examples/README.md for more details.
-#
-# NOTE: ScheduledJob has been renamed to CronJob in upstream k8s recently. At
-# some point (OpenShift 3.6+) this will have to be renamed to "kind: CronJob"
-# and once the API stabilizes the apiVersion will have to be updated too.
+
 ---
-apiVersion: batch/v2alpha1
-kind: ScheduledJob
+apiVersion: batch/v1beta1
+kind: CronJob
 metadata:
   name: certificate-check
   labels:
@@ -31,7 +28,7 @@ spec:
             image: openshift/origin-ansible
             env:
             - name: PLAYBOOK_FILE
-              value: playbooks/certificate_expiry/html_and_json_timestamp.yaml
+              value: playbooks/openshift-checks/certificate_expiry/html_and_json_timestamp.yaml
             - name: INVENTORY_FILE
               value: /tmp/inventory/hosts       # from configmap vol below
             - name: ANSIBLE_PRIVATE_KEY_FILE    # from secret vol below