diff options
| author | Tim Bielawa <tbielawa@redhat.com> | 2016-10-06 10:01:48 -0700 |
|---|---|---|
| committer | Tim Bielawa <tbielawa@redhat.com> | 2016-10-20 07:49:40 -0700 |
| commit | 4273b21105dd11f52de354b4777d33e4296ba7e0 (patch) | |
| tree | bc8cdda1e6147e2b0020feb3544217ab5422a464 | |
| parent | 5f7f6a6023c470337f0d879f55eb619fd63e2dbe (diff) | |
| download | openshift-4273b21105dd11f52de354b4777d33e4296ba7e0.tar.gz openshift-4273b21105dd11f52de354b4777d33e4296ba7e0.tar.bz2 openshift-4273b21105dd11f52de354b4777d33e4296ba7e0.tar.xz openshift-4273b21105dd11f52de354b4777d33e4296ba7e0.zip | |
Get router/registry certs. Collect common names and subjectAltNames
| -rw-r--r-- | library/openshift_cert_expiry.py | 167 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 | 66 |
2 files changed, 186 insertions, 47 deletions
diff --git a/library/openshift_cert_expiry.py b/library/openshift_cert_expiry.py index 4e66de755..f18ab75d0 100644 --- a/library/openshift_cert_expiry.py +++ b/library/openshift_cert_expiry.py @@ -4,6 +4,8 @@ """For details on this module see DOCUMENTATION (below)""" +# router/registry cert grabbing +import subprocess # etcd config file import ConfigParser # Expiration parsing @@ -15,7 +17,6 @@ import yaml # Certificate loading import OpenSSL.crypto - DOCUMENTATION = ''' --- module: openshift_cert_expiry @@ -126,8 +127,59 @@ A 3-tuple of the form: (certificate_common_name, certificate_expiry_date, certif cert_loaded = OpenSSL.crypto.load_certificate( OpenSSL.crypto.FILETYPE_PEM, _cert_string) + ###################################################################### + # Read just the first name from the cert - DISABLED while testing + # out the 'get all possible names' function (below) + # # Strip the subject down to just the value of the first name - cert_subject = cert_loaded.get_subject().get_components()[0][1] + # cert_subject = cert_loaded.get_subject().get_components()[0][1] + + ###################################################################### + # Read all possible names from the cert + cert_subjects = [] + for name, value in cert_loaded.get_subject().get_components(): + cert_subjects.append('{}:{}'.format(name, value)) + + # To read SANs from a cert we must read the subjectAltName + # extension from the X509 Object. What makes this more difficult + # is that pyOpenSSL does not give extensions as a list, nor does + # it provide a count of all loaded extensions. + # + # Rather, extensions are REQUESTED by index. We must iterate over + # all extensions until we find the one called 'subjectAltName'. If + # we don't find that extension we'll eventually request an + # extension at an index where no extension exists (IndexError is + # raised). When that happens we know that the cert has no SANs so + # we break out of the loop. + i = 0 + checked_all_extensions = False + while not checked_all_extensions: + try: + # Read the extension at index 'i' + ext = cert_loaded.get_extension(i) + except IndexError: + # We tried to read an extension but it isn't there, that + # means we ran out of extensions to check. Abort + san = None + checked_all_extensions = True + else: + # We were able to load the extension at index 'i' + if ext.get_short_name() == 'subjectAltName': + san = ext + checked_all_extensions = True + else: + # Try reading the next extension + i += 1 + + if san is not None: + # The X509Extension object for subjectAltName prints as a + # string with the alt names separated by a comma and a + # space. Split the string by ', ' and then add our new names + # to the list of existing names + cert_subjects.extend(str(san).split(', ')) + + cert_subject = ', '.join(cert_subjects) + ###################################################################### # Grab the expiration date cert_expiry = cert_loaded.get_notAfter() @@ -174,7 +226,7 @@ Return: return cert_list -def tabulate_summary(certificates, kubeconfigs, etcd_certs): +def tabulate_summary(certificates, kubeconfigs, etcd_certs, router_certs, registry_certs): """Calculate the summary text for when the module finishes running. This includes counds of each classification and what have you. @@ -190,12 +242,14 @@ Return: - `summary_results` (dict) - Counts of each cert type classification and total items examined. """ - items = certificates + kubeconfigs + etcd_certs + items = certificates + kubeconfigs + etcd_certs + router_certs + registry_certs summary_results = { 'system_certificates': len(certificates), 'kubeconfig_certificates': len(kubeconfigs), 'etcd_certificates': len(etcd_certs), + 'router_certs': len(router_certs), + 'registry_certs': len(registry_certs), 'total': len(items), 'ok': 0, 'warning': 0, @@ -213,7 +267,7 @@ Return: # This is our module MAIN function after all, so there's bound to be a # lot of code bundled up into one block # -# pylint: disable=too-many-locals,too-many-locals,too-many-statements +# pylint: disable=too-many-locals,too-many-locals,too-many-statements,too-many-branches def main(): """This module examines certificates (in various forms) which compose an OpenShift Container Platform cluster @@ -250,21 +304,19 @@ an OpenShift Container Platform cluster openshift_node_config_path, ] - # Paths for Kubeconfigs. Additional kubeconfigs are conditionally checked later in the code - kubeconfig_paths = [ - os.path.normpath( - os.path.join(openshift_base_config_path, "master/admin.kubeconfig") - ), - os.path.normpath( - os.path.join(openshift_base_config_path, "master/openshift-master.kubeconfig") - ), - os.path.normpath( - os.path.join(openshift_base_config_path, "master/openshift-node.kubeconfig") - ), - os.path.normpath( - os.path.join(openshift_base_config_path, "master/openshift-router.kubeconfig") - ), - ] + # Paths for Kubeconfigs. Additional kubeconfigs are conditionally + # checked later in the code + master_kube_configs = ['admin', 'openshift-master', + 'openshift-node', 'openshift-router', + 'openshift-registry'] + + kubeconfig_paths = [] + for m_kube_config in master_kube_configs: + kubeconfig_paths.append( + os.path.normpath( + os.path.join(openshift_base_config_path, "master/%s.kubeconfig" % m_kube_config) + ) + ) # etcd, where do you hide your certs? Used when parsing etcd.conf etcd_cert_params = [ @@ -460,7 +512,80 @@ an OpenShift Container Platform cluster # /Check etcd certs ###################################################################### - res = tabulate_summary(ocp_certs, kubeconfigs, etcd_certs) + ###################################################################### + # Check router/registry certs + # + # These are saved as secrets in etcd. That means that we can not + # simply read a file to grab the data. Instead we're going to + # subprocess out to the 'oc get' command. On non-masters this + # command will fail, that is expected so we catch that exception. + ###################################################################### + router_certs = [] + registry_certs = [] + + ###################################################################### + # First the router certs + try: + router_secrets_raw = subprocess.Popen('oc get secret router-certs -o yaml'.split(), + stdout=subprocess.PIPE) + router_ds = yaml.load(router_secrets_raw.communicate()[0]) + router_c = router_ds['data']['tls.crt'] + router_path = router_ds['metadata']['selfLink'] + except TypeError: + # YAML couldn't load the result, this is not a master + pass + else: + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(router_c, now, base64decode=True) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': router_path, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, router_certs) + + check_results['router'] = router_certs + + ###################################################################### + # Now for registry + # registry_secrets = subprocess.call('oc get secret registry-certificates -o yaml'.split()) + # out = subprocess.PIPE + try: + registry_secrets_raw = subprocess.Popen('oc get secret registry-certificates -o yaml'.split(), + stdout=subprocess.PIPE) + registry_ds = yaml.load(registry_secrets_raw.communicate()[0]) + registry_c = registry_ds['data']['registry.crt'] + registry_path = registry_ds['metadata']['selfLink'] + except TypeError: + # YAML couldn't load the result, this is not a master + pass + else: + (cert_subject, + cert_expiry_date, + time_remaining) = load_and_handle_cert(registry_c, now, base64decode=True) + + expire_check_result = { + 'cert_cn': cert_subject, + 'path': registry_path, + 'expiry': cert_expiry_date, + 'days_remaining': time_remaining.days, + 'health': None, + } + + classify_cert(expire_check_result, now, time_remaining, expire_window, registry_certs) + + check_results['registry'] = registry_certs + + ###################################################################### + # /Check router/registry certs + ###################################################################### + + res = tabulate_summary(ocp_certs, kubeconfigs, etcd_certs, router_certs, registry_certs) msg = "Checked {count} total certificates. Expired/Warning/OK: {exp}/{warn}/{ok}. Warning window: {window} days".format( count=res['total'], diff --git a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 b/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 index da7844c37..f74d7f1ce 100644 --- a/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 +++ b/playbooks/common/openshift-cluster/templates/cert-expiry-table.html.j2 @@ -3,7 +3,7 @@ <head> <meta charset="UTF-8" /> <title>OCP Certificate Expiry Report</title> - {# For fancy icons #} + {# For fancy icons and a pleasing font #} <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" /> <link href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,700" rel="stylesheet" /> <style type="text/css"> @@ -12,6 +12,7 @@ margin-left: 50px; margin-right: 50px; margin-bottom: 20px; + padding-top: 70px; } table { border-collapse: collapse; @@ -37,62 +38,75 @@ </style> </head> <body> - <center><h1>OCP Certificate Expiry Report</h1></center> - - <hr /> + <nav class="navbar navbar-default navbar-fixed-top"> + <div class="container-fluid"> + <div class="navbar-header"> + <a class="navbar-brand" href="#">OCP Certificate Expiry Report</a> + </div> + <div class="collapse navbar-collapse"> + <p class="navbar-text navbar-right"> + <a href="https://docs.openshift.com/container-platform/latest/install_config/redeploying_certificates.html" + target="_blank" + class="navbar-link"> + <i class="glyphicon glyphicon-book"></i> Redeploying Certificates + </a> + </p> + </div> + </div> + </nav> {# Each host has a header and table to itself #} {% for host in play_hosts %} <h1>{{ host }}</h1> <p> - {{ hostvars[host].check_results.msg }} + {{ hostvars[host].check_results.msg }} </p> <ul> - <li><b>Expirations checked at:</b> {{ hostvars[host].check_results.check_results.meta.checked_at_time }}</li> - <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_after_date }}</li> + <li><b>Expirations checked at:</b> {{ hostvars[host].check_results.check_results.meta.checked_at_time }}</li> + <li><b>Warn after date:</b> {{ hostvars[host].check_results.check_results.meta.warn_after_date }}</li> </ul> <table border="1" width="100%"> {# These are hard-coded right now, but should be grabbed dynamically from the registered results #} - {%- for kind in ['ocp_certs', 'etcd', 'kubeconfigs'] -%} + {%- for kind in ['ocp_certs', 'etcd', 'kubeconfigs', 'router', 'registry'] -%} <tr> <th colspan="6" style="text-align:center"><h2 class="cert-kind">{{ kind }}</h2></th> </tr> <tr> - <th> </th> - <th>Certificate Common Name</th> + <th> </th> + <th style="width:33%">Certificate Common/Alt Name(s)</th> <th>Health</th> <th>Days Remaining</th> <th>Expiration Date</th> <th>Path</th> </tr> - {# A row for each certificate examined #} + {# A row for each certificate examined #} {%- for v in hostvars[host].check_results.check_results[kind] -%} - {# Let's add some flair and show status visually with fancy icons #} - {% if v.health == 'ok' %} - {% set health_icon = 'glyphicon glyphicon-ok' %} - {% elif v.health == 'warning' %} - {% set health_icon = 'glyphicon glyphicon-alert' %} - {% else %} - {% set health_icon = 'glyphicon glyphicon-remove' %} - {% endif %} + {# Let's add some flair and show status visually with fancy icons #} + {% if v.health == 'ok' %} + {% set health_icon = 'glyphicon glyphicon-ok' %} + {% elif v.health == 'warning' %} + {% set health_icon = 'glyphicon glyphicon-alert' %} + {% else %} + {% set health_icon = 'glyphicon glyphicon-remove' %} + {% endif %} - <tr class="{{ loop.cycle('odd', 'even') }}"> - <td style="text-align:center"><i class="{{ health_icon }}"></i></td> - <td>{{ v.cert_cn }}</td> + <tr class="{{ loop.cycle('odd', 'even') }}"> + <td style="text-align:center"><i class="{{ health_icon }}"></i></td> + <td style="width:33%">{{ v.cert_cn }}</td> <td>{{ v.health }}</td> <td>{{ v.days_remaining }}</td> <td>{{ v.expiry }}</td> <td>{{ v.path }}</td> </tr> {% endfor %} - {# end row generation per cert of this type #} + {# end row generation per cert of this type #} {% endfor %} - {# end generation for each kind of cert block #} + {# end generation for each kind of cert block #} </table> <hr /> {% endfor %} @@ -100,10 +114,10 @@ <footer> <p> - Expiration report generated by <a href="https://github.com/openshift/openshift-ansible" target="_blank">openshift-ansible</a> + Expiration report generated by <a href="https://github.com/openshift/openshift-ansible" target="_blank">openshift-ansible</a> </p> <p> - Status icons from bootstrap/glyphicon + Status icons from bootstrap/glyphicon </p> </footer> </body> |