Refactor into a role

playbooks/byo/openshift-cluster/check-cert-expiry.yaml

@@ -1,35 +0,0 @@
----
-# check-cert-expiry.yaml - A utility for cluster ops to scan through
-# (critical) certificates for the ongoing operations of a cluster.
-
-# We do not support all Ansible versions. This is our safety net.
-- include: ../../common/openshift-cluster/verify_ansible_version.yml
-
-- name: Generate the l_oo_all_hosts group
-  hosts: localhost
-  connection: local
-  become: no
-  gather_facts: no
-  tasks:
-  - include_vars: cluster_hosts.yml
-  - add_host:
-      name: "{{ item }}"
-      groups: l_oo_all_hosts
-    with_items: "{{ g_all_hosts | default([]) }}"
-
-# This may seem redundant, running `include_vars` again on the list of
-# hosts in the group 'l_oo_all_hosts' which we just created. But the
-# fact of the matter is that if we don't re-run include_vars on the
-# new host group we created, then they will not have access to those
-# same group variables they were birthed from.
-#
-# Go ahead and try to 'debug: var=g_all_hosts' later on (without this
-# play) and you'll find that the result is UNDEFINED VARIABLE.
-- name: Inject cluster hosts variables into l_oo_all_hosts
-  hosts: l_oo_all_hosts
-  gather_facts: no
-  tasks:
-  - include_vars: cluster_hosts.yml
-
-# This is where the actual business gets started:
-- include: ../../common/openshift-cluster/check-cert-expiry.yaml

playbooks/common/openshift-cluster/check-cert-expiry.yaml

@@ -1,44 +0,0 @@
-# ---
-# # This must be evaluated after cluster_hosts.yml has been evaluated on
-# # 'localhost' to generate l_oo_all_hosts and then subsequently
-# # evaluated again on the generated hosts group (l_oo_all_hosts).
-# - include: evaluate_groups.yml
-#   tags:
-#   - always
-
-# # Initialize cluster facts for oo_all_hosts using the openshift_facts
-# # role followed by the 'common' role
-# - include: initialize_facts.yml
-#   tags:
-#   - always
-
-# # Get the version to install from the first master, then synchronize
-# # that variable across all in oo_all_hosts
-# - include: initialize_openshift_version.yml
-#   tags:
-#   - always
-
-# # Earlier 'initialize_facts' included the openshift_facts role and
-# # used the openshift_facts module with the 'role' parameter set to
-# # 'common'. Now we're applying the openshift_facts role AGAIN but just
-# # to the subset of oo_all_hosts which require configuring.
-# - name: Load openshift_facts
-#   hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config
-#   roles:
-#     - openshift_facts
-
-- hosts: all
-  become: yes
-  gather_facts: no
-  tasks:
-    - name: Check cert expirys on host
-      openshift_cert_expiry:
-        warning_days: 1500
-      register: check_results
-    - name: Generate html
-      become: no
-      run_once: yes
-      template:
-        src: templates/cert-expiry-table.html.j2
-        dest: /tmp/cert-table.html
-      delegate_to: localhost

roles/openshift_certificate_expiry/README.md

@@ -0,0 +1,63 @@
+OpenShift Certificate Expiration Checker
+========================================
+
+OpenShift certificate expiration checking. Be warned of certificates
+expiring within a configurable window of days, and notified of
+certificates which have already expired. Certificates examined
+include:
+
+* Master/Node Service Certificates
+* Router/Registry Service Certificates from etcd secrets
+* Master/Node/Router/Registry/Admin `kubeconfig`s
+* Etcd certificates
+
+
+
+Requirements
+------------
+
+* None
+
+
+Role Variables
+--------------
+
+From this role:
+
+| Name                     | Default value | Description                                                                         |
+|--------------------------|---------------|-------------------------------------------------------------------------------------|
+| `config_base`            | `/etc/origin` | Base openshift config directory                                                     |
+| `warning_days`           | `30`          | Flag certificates which will expire in this many days from now                      |
+| `show_all`               | `False`       | Include healthy (non-expired and non-warning) certificates in results               |
+| `generate_report`        | `False`       | Generate an HTML report of the expiry check results                                 |
+| `save_json_results`      | `False`       | Save expiry check results as a json file                                            |
+| `result_dir`             | `/tmp`        | Directory in which to put check results and generated reports                       |
+
+
+Dependencies
+------------
+
+* None
+
+Example Playbook
+----------------
+
+```
+- name: Check cert expirys
+  hosts: all
+  become: yes
+  gather_facts: no
+  roles:
+  - role: openshift_certificate_expiry
+```
+
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+
+Tim Bielawa (tbielawa@redhat.com)

roles/openshift_certificate_expiry/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+config_base: "/etc/origin"
+warning_days: 30
+show_all: false
+generate_report: false
+result_dir: "/tmp"

roles/openshift_certificate_expiry/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Tim Bielawa
+  description: OpenShift Certificate Expiry Checker
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.1
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies: []

roles/openshift_certificate_expiry/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Check cert expirys on host
+  openshift_cert_expiry:
+    warning_days: 1500
+  register: check_results
+
+- name: Generate html
+  become: no
+  run_once: yes
+  template:
+    src: cert-expiry-table.html.j2
+    dest: /tmp/cert-table.html
+  delegate_to: localhost
+  when: generate_report
+
+- name: Generate JSON
+  become: no
+  run_once: yes
+  template:
+    src: save_json_results.j2
+    dest: /tmp/cert-expiry-results.json
+  delegate_to: localhost
+  when: save_json_results

roles/openshift_certificate_expiry/templates/save_json_results.j2

@@ -0,0 +1,5 @@
+{
+{% for host in play_hosts %}
+"{{host}}": {{ hostvars[host].check_results.check_results | to_nice_json(indent=2) }}{% if not loop.last %},{% endif %}
+{% endfor %}
+}