diff --git a/cmd/cluster/checkexpiration/checkexpiration.go b/cmd/cluster/checkexpiration/checkexpiration.go new file mode 100644 index 000000000..9f61d9a9f --- /dev/null +++ b/cmd/cluster/checkexpiration/checkexpiration.go @@ -0,0 +1,82 @@ +/* + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package checkexpiration + +import ( + "github.com/spf13/cobra" + + "opendev.org/airship/airshipctl/pkg/config" + "opendev.org/airship/airshipctl/pkg/errors" + "opendev.org/airship/airshipctl/pkg/log" +) + +const ( + checkLong = ` +Displays a list of certificate expirations from both the management and +workload clusters, or in a self-managed cluster. Checks for TLS Secrets, +kubeconf secrets (which gets created while creating the workload cluster) and +also the node certificates present inside /etc/kubernetes/pki directory for +each node` + + checkExample = ` +# To display all the expiring entities in the cluster +airshipctl cluster check-certificate-expiration --kubeconfig testconfig + +# To display the entities whose expiration is within threshold of 30 days +airshipctl cluster check-certificate-expiration -t 30 --kubeconfig testconfig + +# To output the contents to json (default operation) +airshipctl cluster check-certificate-expiration -o json --kubeconfig testconfig +or +airshipctl cluster check-certificate-expiration --kubeconfig testconfig + +# To output the contents to yaml +airshipctl cluster check-certificate-expiration -o yaml --kubeconfig testconfig + +# To output the contents whose expiration is within 30 days to yaml +airshipctl cluster check-certificate-expiration -t 30 -o yaml --kubeconfig testconfig +` + + kubeconfigFlag = "kubeconfig" +) + +// NewCheckCommand creates a new command for generating secret information +func NewCheckCommand(cfgFactory config.Factory) *cobra.Command { + var threshold int + var contentType, kubeconfig string + checkCmd := &cobra.Command{ + Use: "check-certificate-expiration", + Short: "Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster", + Long: checkLong[1:], + Example: checkExample, + RunE: func(cmd *cobra.Command, args []string) error { + return errors.ErrNotImplemented{What: "check certificate expiration"} + }, + } + + checkCmd.Flags().IntVarP(&threshold, "threshold", "t", -1, + "The max expiration threshold in days before a certificate is"+ + " expiring. Displays all the certificates by default") + checkCmd.Flags().StringVarP(&contentType, "output", "o", "json", "Convert "+ + "output to yaml or json") + checkCmd.Flags().StringVar(&kubeconfig, kubeconfigFlag, "", + "Path to kubeconfig associated with cluster being managed") + + err := checkCmd.MarkFlagRequired(kubeconfigFlag) + if err != nil { + log.Fatalf("marking kubeconfig flag required failed: %v", err) + } + return checkCmd +} diff --git a/cmd/cluster/checkexpiration/checkexpiration_test.go b/cmd/cluster/checkexpiration/checkexpiration_test.go new file mode 100644 index 000000000..0f53c1575 --- /dev/null +++ b/cmd/cluster/checkexpiration/checkexpiration_test.go @@ -0,0 +1,36 @@ +/* + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package checkexpiration_test + +import ( + "testing" + + "opendev.org/airship/airshipctl/cmd/cluster/checkexpiration" + "opendev.org/airship/airshipctl/testutil" +) + +func TestCheckExpiration(t *testing.T) { + cmdTests := []*testutil.CmdTest{ + { + Name: "check-expiration-with-help", + CmdLine: "--help", + Cmd: checkexpiration.NewCheckCommand(nil), + }, + } + + for _, tt := range cmdTests { + testutil.RunTest(t, tt) + } +} diff --git a/cmd/cluster/checkexpiration/testdata/TestCheckExpirationGoldenOutput/check-expiration-with-help.golden b/cmd/cluster/checkexpiration/testdata/TestCheckExpirationGoldenOutput/check-expiration-with-help.golden new file mode 100644 index 000000000..b56f7459c --- /dev/null +++ b/cmd/cluster/checkexpiration/testdata/TestCheckExpirationGoldenOutput/check-expiration-with-help.golden @@ -0,0 +1,34 @@ +Displays a list of certificate expirations from both the management and +workload clusters, or in a self-managed cluster. Checks for TLS Secrets, +kubeconf secrets (which gets created while creating the workload cluster) and +also the node certificates present inside /etc/kubernetes/pki directory for +each node + +Usage: + check-certificate-expiration [flags] + +Examples: + +# To display all the expiring entities in the cluster +airshipctl cluster check-certificate-expiration --kubeconfig testconfig + +# To display the entities whose expiration is within threshold of 30 days +airshipctl cluster check-certificate-expiration -t 30 --kubeconfig testconfig + +# To output the contents to json (default operation) +airshipctl cluster check-certificate-expiration -o json --kubeconfig testconfig +or +airshipctl cluster check-certificate-expiration --kubeconfig testconfig + +# To output the contents to yaml +airshipctl cluster check-certificate-expiration -o yaml --kubeconfig testconfig + +# To output the contents whose expiration is within 30 days to yaml +airshipctl cluster check-certificate-expiration -t 30 -o yaml --kubeconfig testconfig + + +Flags: + -h, --help help for check-certificate-expiration + --kubeconfig string Path to kubeconfig associated with cluster being managed + -o, --output string Convert output to yaml or json (default "json") + -t, --threshold int The max expiration threshold in days before a certificate is expiring. Displays all the certificates by default (default -1) diff --git a/cmd/cluster/cluster.go b/cmd/cluster/cluster.go index 22e1be2bd..6633e8b77 100644 --- a/cmd/cluster/cluster.go +++ b/cmd/cluster/cluster.go @@ -17,6 +17,7 @@ package cluster import ( "github.com/spf13/cobra" + "opendev.org/airship/airshipctl/cmd/cluster/checkexpiration" "opendev.org/airship/airshipctl/cmd/cluster/resetsatoken" "opendev.org/airship/airshipctl/pkg/config" ) @@ -41,6 +42,7 @@ func NewClusterCommand(cfgFactory config.Factory) *cobra.Command { clusterRootCmd.AddCommand(NewMoveCommand(cfgFactory)) clusterRootCmd.AddCommand(NewStatusCommand(cfgFactory)) clusterRootCmd.AddCommand(resetsatoken.NewResetCommand(cfgFactory)) + clusterRootCmd.AddCommand(checkexpiration.NewCheckCommand(cfgFactory)) return clusterRootCmd } diff --git a/cmd/cluster/testdata/TestNewClusterCommandGoldenOutput/cluster-cmd-with-help.golden b/cmd/cluster/testdata/TestNewClusterCommandGoldenOutput/cluster-cmd-with-help.golden index f35d3d944..32190e478 100644 --- a/cmd/cluster/testdata/TestNewClusterCommandGoldenOutput/cluster-cmd-with-help.golden +++ b/cmd/cluster/testdata/TestNewClusterCommandGoldenOutput/cluster-cmd-with-help.golden @@ -5,11 +5,12 @@ Usage: cluster [command] Available Commands: - help Help about any command - init Deploy cluster-api provider components - move Move Cluster API objects, provider specific objects and all dependencies to the target cluster - rotate-sa-token Rotate tokens of Service Accounts - status Retrieve statuses of deployed cluster components + check-certificate-expiration Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster + help Help about any command + init Deploy cluster-api provider components + move Move Cluster API objects, provider specific objects and all dependencies to the target cluster + rotate-sa-token Rotate tokens of Service Accounts + status Retrieve statuses of deployed cluster components Flags: -h, --help help for cluster diff --git a/docs/source/cli/airshipctl_cluster.md b/docs/source/cli/airshipctl_cluster.md index c88e70743..62d4c9641 100644 --- a/docs/source/cli/airshipctl_cluster.md +++ b/docs/source/cli/airshipctl_cluster.md @@ -24,6 +24,7 @@ such as getting status and deploying initial infrastructure. ### SEE ALSO * [airshipctl](airshipctl.md) - A unified entrypoint to various airship components +* [airshipctl cluster check-certificate-expiration](airshipctl_cluster_check-certificate-expiration.md) - Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster * [airshipctl cluster init](airshipctl_cluster_init.md) - Deploy cluster-api provider components * [airshipctl cluster move](airshipctl_cluster_move.md) - Move Cluster API objects, provider specific objects and all dependencies to the target cluster * [airshipctl cluster rotate-sa-token](airshipctl_cluster_rotate-sa-token.md) - Rotate tokens of Service Accounts diff --git a/docs/source/cli/airshipctl_cluster_check-certificate-expiration.md b/docs/source/cli/airshipctl_cluster_check-certificate-expiration.md new file mode 100644 index 000000000..0d1f22560 --- /dev/null +++ b/docs/source/cli/airshipctl_cluster_check-certificate-expiration.md @@ -0,0 +1,59 @@ +## airshipctl cluster check-certificate-expiration + +Check for expiring TLS certificates, secrets and kubeconfigs in the kubernetes cluster + +### Synopsis + +Displays a list of certificate expirations from both the management and +workload clusters, or in a self-managed cluster. Checks for TLS Secrets, +kubeconf secrets (which gets created while creating the workload cluster) and +also the node certificates present inside /etc/kubernetes/pki directory for +each node + +``` +airshipctl cluster check-certificate-expiration [flags] +``` + +### Examples + +``` + +# To display all the expiring entities in the cluster +airshipctl cluster check-certificate-expiration --kubeconfig testconfig + +# To display the entities whose expiration is within threshold of 30 days +airshipctl cluster check-certificate-expiration -t 30 --kubeconfig testconfig + +# To output the contents to json (default operation) +airshipctl cluster check-certificate-expiration -o json --kubeconfig testconfig +or +airshipctl cluster check-certificate-expiration --kubeconfig testconfig + +# To output the contents to yaml +airshipctl cluster check-certificate-expiration -o yaml --kubeconfig testconfig + +# To output the contents whose expiration is within 30 days to yaml +airshipctl cluster check-certificate-expiration -t 30 -o yaml --kubeconfig testconfig + +``` + +### Options + +``` + -h, --help help for check-certificate-expiration + --kubeconfig string Path to kubeconfig associated with cluster being managed + -o, --output string Convert output to yaml or json (default "json") + -t, --threshold int The max expiration threshold in days before a certificate is expiring. Displays all the certificates by default (default -1) +``` + +### Options inherited from parent commands + +``` + --airshipconf string Path to file for airshipctl configuration. (default "$HOME/.airship/config") + --debug enable verbose output +``` + +### SEE ALSO + +* [airshipctl cluster](airshipctl_cluster.md) - Manage Kubernetes clusters +