diff options
| author | Tim Bielawa <tbielawa@redhat.com> | 2016-11-18 10:39:31 -0800 | 
|---|---|---|
| committer | Tim Bielawa <tbielawa@redhat.com> | 2016-12-15 10:45:15 -0800 | 
| commit | f9731780168e117e20471069f32a89056ac07d45 (patch) | |
| tree | 3c3713e427aa3652e02da338edf71ccd6cf6fea9 /roles | |
| parent | 4bde8aa816fdca2aafe7626468e211c426caa7b9 (diff) | |
| download | openshift-f9731780168e117e20471069f32a89056ac07d45.tar.gz openshift-f9731780168e117e20471069f32a89056ac07d45.tar.bz2 openshift-f9731780168e117e20471069f32a89056ac07d45.tar.xz openshift-f9731780168e117e20471069f32a89056ac07d45.zip | |
Check embedded etcd certs now, too
* Addresses RFE in
    https://bugzilla.redhat.com/show_bug.cgi?id=1389264
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openshift_certificate_expiry/library/openshift_cert_expiry.py | 48 | 
1 files changed, 44 insertions, 4 deletions
| diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py index d467d0cc8..1fac284f2 100644 --- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py +++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py @@ -246,8 +246,7 @@ Return:          'total': len(items),          'ok': 0,          'warning': 0, -        'expired': 0, -        'total': len(items) +        'expired': 0      }      summary_results['expired'] = len([c for c in items if c['health'] == 'expired']) @@ -468,7 +467,11 @@ an OpenShift Container Platform cluster      ######################################################################      # Check etcd certs +    # +    # Two things to check: 'external' etcd, and embedded etcd.      ###################################################################### +    # FIRST: The 'external' etcd +    #      # Some values may be duplicated, make this a set for now so we      # unique them all      etcd_certs_to_check = set([]) @@ -507,6 +510,43 @@ an OpenShift Container Platform cluster              classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs)      ###################################################################### +    # Now the embedded etcd +    ###################################################################### +    try: +        with open('/etc/origin/master/master-config.yaml', 'r') as fp: +            cfg = yaml.load(fp) +    except IOError: +        # Not present +        pass +    else: +        if cfg.get('etcdConfig', {}).get('servingInfo', {}).get('certFile', None) is not None: +            # This is embedded +            etcd_crt_name = cfg['etcdConfig']['servingInfo']['certFile'] +        else: +            # Not embedded +            etcd_crt_name = None + +        if etcd_crt_name is not None: +            # etcd_crt_name is relative to the location of the +            # master-config.yaml file +            cfg_path = os.path.dirname(fp.name) +            etcd_cert = os.path.join(cfg_path, etcd_crt_name) +            with open(etcd_cert, 'r') as etcd_fp: +                (cert_subject, +                 cert_expiry_date, +                 time_remaining) = load_and_handle_cert(etcd_fp.read(), now) + +                expire_check_result = { +                    'cert_cn': cert_subject, +                    'path': etcd_fp.name, +                    'expiry': cert_expiry_date, +                    'days_remaining': time_remaining.days, +                    'health': None, +                } + +                classify_cert(expire_check_result, now, time_remaining, expire_window, etcd_certs) + +    ######################################################################      # /Check etcd certs      ###################################################################### @@ -524,7 +564,7 @@ an OpenShift Container Platform cluster      ######################################################################      # First the router certs      try: -        router_secrets_raw = subprocess.Popen('oc get secret router-certs -o yaml'.split(), +        router_secrets_raw = subprocess.Popen('oc get -n default secret router-certs -o yaml'.split(),                                                stdout=subprocess.PIPE)          router_ds = yaml.load(router_secrets_raw.communicate()[0])          router_c = router_ds['data']['tls.crt'] @@ -553,7 +593,7 @@ an OpenShift Container Platform cluster      ######################################################################      # Now for registry      try: -        registry_secrets_raw = subprocess.Popen('oc get secret registry-certificates -o yaml'.split(), +        registry_secrets_raw = subprocess.Popen('oc get -n default secret registry-certificates -o yaml'.split(),                                                  stdout=subprocess.PIPE)          registry_ds = yaml.load(registry_secrets_raw.communicate()[0])          registry_c = registry_ds['data']['registry.crt'] | 
