Merge pull request #2829 from tbielawa/cert_expiry_updates

Cert expiry updates

roles/openshift_certificate_expiry/README.md

@@ -9,7 +9,7 @@ include:
 * Master/Node Service Certificates
 * Router/Registry Service Certificates from etcd secrets
 * Master/Node/Router/Registry/Admin `kubeconfig`s
-* Etcd certificates
+* Etcd certificates (including embedded)
 
 This role pairs well with the redeploy certificates playbook:
 
@@ -111,12 +111,16 @@ There are two top-level keys in the saved JSON results, `data` and
 `summary`.
 
 The `data` key is a hash where the keys are the names of each host
-examined and the values are the check results for each respective
-host.
+examined and the values are the check results for the certificates
+identified on each respective host.
 
-The `summary` key is a hash that summarizes the number of certificates
-expiring within the configured warning window and the number of
-already expired certificates.
+The `summary` key is a hash that summarizes the total number of
+certificates:
+
+* examined on the entire cluster
+* OK
+* expiring within the configured warning window
+* already expired
 
 The example below is abbreviated to save space:
 
@@ -193,7 +197,9 @@ The example below is abbreviated to save space:
     },
     "summary": {
         "warning": 6,
-        "expired": 0
+        "expired": 0,
+        "total": 7,
+        "ok": 1
     }
 }
 ```

roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py

@@ -51,9 +51,13 @@ Example playbook usage:
 
         total_warnings = sum([hostvars[h]['check_results']['summary']['warning'] for h in play_hosts])
         total_expired = sum([hostvars[h]['check_results']['summary']['expired'] for h in play_hosts])
+        total_ok = sum([hostvars[h]['check_results']['summary']['ok'] for h in play_hosts])
+        total_total = sum([hostvars[h]['check_results']['summary']['total'] for h in play_hosts])
 
         json_result['summary']['warning'] = total_warnings
         json_result['summary']['expired'] = total_expired
+        json_result['summary']['ok'] = total_ok
+        json_result['summary']['total'] = total_total
 
         return json_result
 

roles/openshift_certificate_expiry/library/openshift_cert_expiry.py

@@ -467,7 +467,11 @@ an OpenShift Container Platform cluster
 
     ######################################################################
     # Check etcd certs
+    #
+    # Two things to check: 'external' etcd, and embedded etcd.
     ######################################################################
+    # FIRST: The 'external' etcd
+    #
     # Some values may be duplicated, make this a set for now so we
     # unique them all
     etcd_certs_to_check = set([])
@@ -506,6 +510,43 @@ an OpenShift Container Platform cluster
             classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs)
 
     ######################################################################
+    # Now the embedded etcd
+    ######################################################################
+    try:
+        with open('/etc/origin/master/master-config.yaml', 'r') as fp:
+            cfg = yaml.load(fp)
+    except IOError:
+        # Not present
+        pass
+    else:
+        if cfg.get('etcdConfig', {}).get('servingInfo', {}).get('certFile', None) is not None:
+            # This is embedded
+            etcd_crt_name = cfg['etcdConfig']['servingInfo']['certFile']
+        else:
+            # Not embedded
+            etcd_crt_name = None
+
+        if etcd_crt_name is not None:
+            # etcd_crt_name is relative to the location of the
+            # master-config.yaml file
+            cfg_path = os.path.dirname(fp.name)
+            etcd_cert = os.path.join(cfg_path, etcd_crt_name)
+            with open(etcd_cert, 'r') as etcd_fp:
+                (cert_subject,
+                 cert_expiry_date,
+                 time_remaining) = load_and_handle_cert(etcd_fp.read(), now)
+
+                expire_check_result = {
+                    'cert_cn': cert_subject,
+                    'path': etcd_fp.name,
+                    'expiry': cert_expiry_date,
+                    'days_remaining': time_remaining.days,
+                    'health': None,
+                }
+
+                classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs)
+
+    ######################################################################
     # /Check etcd certs
     ######################################################################
 
@@ -523,7 +564,7 @@ an OpenShift Container Platform cluster
     ######################################################################
     # First the router certs
     try:
-        router_secrets_raw = subprocess.Popen('oc get secret router-certs -o yaml'.split(),
+        router_secrets_raw = subprocess.Popen('oc get -n default secret router-certs -o yaml'.split(),
                                               stdout=subprocess.PIPE)
         router_ds = yaml.load(router_secrets_raw.communicate()[0])
         router_c = router_ds['data']['tls.crt']
@@ -552,7 +593,7 @@ an OpenShift Container Platform cluster
     ######################################################################
     # Now for registry
     try:
-        registry_secrets_raw = subprocess.Popen('oc get secret registry-certificates -o yaml'.split(),
+        registry_secrets_raw = subprocess.Popen('oc get -n default secret registry-certificates -o yaml'.split(),
                                                 stdout=subprocess.PIPE)
         registry_ds = yaml.load(registry_secrets_raw.communicate()[0])
         registry_c = registry_ds['data']['registry.crt']