Introducing subcommand `cluster check-certificate-expiration`

This command runs through the cluster and reports expirable entities Reference:- https://hackmd.io/aGaz7YXSSHybGcyol8vYEw Previous work:- https://review.opendev.org/#/c/755291/ Below is the complete ordered flow of PS for the feature: https://review.opendev.org/#/c/760498/ - Cobra command https://review.opendev.org/#/c/760501/ - Command Objects https://review.opendev.org/#/c/760504/ - TLS check https://review.opendev.org/#/c/760517/ - Kubeconf check https://review.opendev.org/#/c/760532/ - Node check https://review.opendev.org/#/c/760537/ - Combined Unit tests Change-Id: I7e20a6d3821877e16a5bc2cb8de3dd3c8b7850e2 Relates-To: #391
2020-10-30 05:42:46 +00:00 · 2020-10-30 05:42:46 +00:00 · 260d6905a4
parent c86bbeaed9
commit 260d6905a4
7 changed files with 220 additions and 5 deletions
--- a/cmd/cluster/checkexpiration/checkexpiration.go
+++ b/cmd/cluster/checkexpiration/checkexpiration.go
@ -0,0 +1,82 @@
+/*
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package checkexpiration
+
+import (
+	"github.com/spf13/cobra"
+
+	"opendev.org/airship/airshipctl/pkg/config"
+	"opendev.org/airship/airshipctl/pkg/errors"
+	"opendev.org/airship/airshipctl/pkg/log"
+)
+
+const (
+	checkLong = `
+Displays a list of certificate expirations from both the management and
+workload clusters, or in a self-managed cluster. Checks for TLS Secrets,
+kubeconf secrets (which gets created while creating the workload cluster) and
+also the node certificates present inside /etc/kubernetes/pki directory for
+each node`
+
+	checkExample = `
+# To display all the expiring entities in the cluster
+airshipctl cluster check-certificate-expiration --kubeconfig testconfig
+
+# To display the entities whose expiration is within threshold of 30 days
+airshipctl cluster check-certificate-expiration -t 30 --kubeconfig testconfig
+
+# To output the contents to json (default operation)
+airshipctl cluster check-certificate-expiration -o json --kubeconfig testconfig
+or
+airshipctl cluster check-certificate-expiration --kubeconfig testconfig
+
+# To output the contents to yaml
+airshipctl cluster check-certificate-expiration -o yaml --kubeconfig testconfig
+
+# To output the contents whose expiration is within 30 days to yaml
+airshipctl cluster check-certificate-expiration -t 30 -o yaml --kubeconfig testconfig
+`
+
+	kubeconfigFlag = "kubeconfig"
+)
+
+// NewCheckCommand creates a new command for generating secret information
+func NewCheckCommand(cfgFactory config.Factory) *cobra.Command {
+	var threshold int
+	var contentType, kubeconfig string
+	checkCmd := &cobra.Command{
+		Use:     "check-certificate-expiration",
+		Short:   "Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster",
+		Long:    checkLong[1:],
+		Example: checkExample,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return errors.ErrNotImplemented{What: "check certificate expiration"}
+		},
+	}
+
+	checkCmd.Flags().IntVarP(&threshold, "threshold", "t", -1,
+		"The max expiration threshold in days before a certificate is"+
+			" expiring. Displays all the certificates by default")
+	checkCmd.Flags().StringVarP(&contentType, "output", "o", "json", "Convert "+
+		"output to yaml or json")
+	checkCmd.Flags().StringVar(&kubeconfig, kubeconfigFlag, "",
+		"Path to kubeconfig associated with cluster being managed")
+
+	err := checkCmd.MarkFlagRequired(kubeconfigFlag)
+	if err != nil {
+		log.Fatalf("marking kubeconfig flag required failed: %v", err)
+	}
+	return checkCmd
+}
--- a/cmd/cluster/checkexpiration/checkexpiration_test.go
+++ b/cmd/cluster/checkexpiration/checkexpiration_test.go
@ -0,0 +1,36 @@
+/*
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     https://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package checkexpiration_test
+
+import (
+	"testing"
+
+	"opendev.org/airship/airshipctl/cmd/cluster/checkexpiration"
+	"opendev.org/airship/airshipctl/testutil"
+)
+
+func TestCheckExpiration(t *testing.T) {
+	cmdTests := []*testutil.CmdTest{
+		{
+			Name:    "check-expiration-with-help",
+			CmdLine: "--help",
+			Cmd:     checkexpiration.NewCheckCommand(nil),
+		},
+	}
+
+	for _, tt := range cmdTests {
+		testutil.RunTest(t, tt)
+	}
+}
--- a/cmd/cluster/checkexpiration/testdata/TestCheckExpirationGoldenOutput/check-expiration-with-help.golden
+++ b/cmd/cluster/checkexpiration/testdata/TestCheckExpirationGoldenOutput/check-expiration-with-help.golden
@ -0,0 +1,34 @@
+Displays a list of certificate expirations from both the management and
+workload clusters, or in a self-managed cluster. Checks for TLS Secrets,
+kubeconf secrets (which gets created while creating the workload cluster) and
+also the node certificates present inside /etc/kubernetes/pki directory for
+each node
+
+Usage:
+  check-certificate-expiration [flags]
+
+Examples:
+
+# To display all the expiring entities in the cluster
+airshipctl cluster check-certificate-expiration --kubeconfig testconfig
+
+# To display the entities whose expiration is within threshold of 30 days
+airshipctl cluster check-certificate-expiration -t 30 --kubeconfig testconfig
+
+# To output the contents to json (default operation)
+airshipctl cluster check-certificate-expiration -o json --kubeconfig testconfig
+or
+airshipctl cluster check-certificate-expiration --kubeconfig testconfig
+
+# To output the contents to yaml
+airshipctl cluster check-certificate-expiration -o yaml --kubeconfig testconfig
+
+# To output the contents whose expiration is within 30 days to yaml
+airshipctl cluster check-certificate-expiration -t 30 -o yaml --kubeconfig testconfig
+
+
+Flags:
+  -h, --help                help for check-certificate-expiration
+      --kubeconfig string   Path to kubeconfig associated with cluster being managed
+  -o, --output string       Convert output to yaml or json (default "json")
+  -t, --threshold int       The max expiration threshold in days before a certificate is expiring. Displays all the certificates by default (default -1)
--- a/cmd/cluster/cluster.go
+++ b/cmd/cluster/cluster.go
@ -17,6 +17,7 @@ package cluster
 import (
 	"github.com/spf13/cobra"

+	"opendev.org/airship/airshipctl/cmd/cluster/checkexpiration"
 	"opendev.org/airship/airshipctl/cmd/cluster/resetsatoken"
 	"opendev.org/airship/airshipctl/pkg/config"
 )
@ -41,6 +42,7 @@ func NewClusterCommand(cfgFactory config.Factory) *cobra.Command {
 	clusterRootCmd.AddCommand(NewMoveCommand(cfgFactory))
 	clusterRootCmd.AddCommand(NewStatusCommand(cfgFactory))
 	clusterRootCmd.AddCommand(resetsatoken.NewResetCommand(cfgFactory))
+	clusterRootCmd.AddCommand(checkexpiration.NewCheckCommand(cfgFactory))

 	return clusterRootCmd
 }
--- a/cmd/cluster/testdata/TestNewClusterCommandGoldenOutput/cluster-cmd-with-help.golden
+++ b/cmd/cluster/testdata/TestNewClusterCommandGoldenOutput/cluster-cmd-with-help.golden
@ -5,11 +5,12 @@ Usage:
  cluster [command]

 Available Commands:
-  help            Help about any command
-  init            Deploy cluster-api provider components
-  move            Move Cluster API objects, provider specific objects and all dependencies to the target cluster
-  rotate-sa-token Rotate tokens of Service Accounts
-  status          Retrieve statuses of deployed cluster components
+  check-certificate-expiration Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster
+  help                         Help about any command
+  init                         Deploy cluster-api provider components
+  move                         Move Cluster API objects, provider specific objects and all dependencies to the target cluster
+  rotate-sa-token              Rotate tokens of Service Accounts
+  status                       Retrieve statuses of deployed cluster components

 Flags:
  -h, --help   help for cluster
--- a/docs/source/cli/airshipctl_cluster.md
+++ b/docs/source/cli/airshipctl_cluster.md
@ -24,6 +24,7 @@ such as getting status and deploying initial infrastructure.
 ### SEE ALSO

 * [airshipctl](airshipctl.md)	 - A unified entrypoint to various airship components
+* [airshipctl cluster check-certificate-expiration](airshipctl_cluster_check-certificate-expiration.md)	 - Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster
 * [airshipctl cluster init](airshipctl_cluster_init.md)	 - Deploy cluster-api provider components
 * [airshipctl cluster move](airshipctl_cluster_move.md)	 - Move Cluster API objects, provider specific objects and all dependencies to the target cluster
 * [airshipctl cluster rotate-sa-token](airshipctl_cluster_rotate-sa-token.md)	 - Rotate tokens of Service Accounts
--- a/docs/source/cli/airshipctl_cluster_check-certificate-expiration.md
+++ b/docs/source/cli/airshipctl_cluster_check-certificate-expiration.md
@ -0,0 +1,59 @@
+## airshipctl cluster check-certificate-expiration
+
+Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster
+
+### Synopsis
+
+Displays a list of certificate expirations from both the management and
+workload clusters, or in a self-managed cluster. Checks for TLS Secrets,
+kubeconf secrets (which gets created while creating the workload cluster) and
+also the node certificates present inside /etc/kubernetes/pki directory for
+each node
+
+```
+airshipctl cluster check-certificate-expiration [flags]
+```
+
+### Examples
+
+```
+
+# To display all the expiring entities in the cluster
+airshipctl cluster check-certificate-expiration --kubeconfig testconfig
+
+# To display the entities whose expiration is within threshold of 30 days
+airshipctl cluster check-certificate-expiration -t 30 --kubeconfig testconfig
+
+# To output the contents to json (default operation)
+airshipctl cluster check-certificate-expiration -o json --kubeconfig testconfig
+or
+airshipctl cluster check-certificate-expiration --kubeconfig testconfig
+
+# To output the contents to yaml
+airshipctl cluster check-certificate-expiration -o yaml --kubeconfig testconfig
+
+# To output the contents whose expiration is within 30 days to yaml
+airshipctl cluster check-certificate-expiration -t 30 -o yaml --kubeconfig testconfig
+
+```
+
+### Options
+
+```
+  -h, --help                help for check-certificate-expiration
+      --kubeconfig string   Path to kubeconfig associated with cluster being managed
+  -o, --output string       Convert output to yaml or json (default "json")
+  -t, --threshold int       The max expiration threshold in days before a certificate is expiring. Displays all the certificates by default (default -1)
+```
+
+### Options inherited from parent commands
+
+```
+      --airshipconf string   Path to file for airshipctl configuration. (default "$HOME/.airship/config")
+      --debug                enable verbose output
+```
+
+### SEE ALSO
+
+* [airshipctl cluster](airshipctl_cluster.md)	 - Manage Kubernetes clusters
+