forked from vmware-archive/concourse-pipeline-samples
-
Notifications
You must be signed in to change notification settings - Fork 0
/
pipeline.yml
115 lines (104 loc) · 4.65 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---
#
# PCF Documentation: https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html
#
resources:
- name: time-trigger
type: time
source:
interval: 168h # e.g. once a week
- name: pcf-pipelines-utils
type: git
source:
uri: https://github.com/pivotalservices/concourse-pipeline-samples.git
- name: send-an-email
type: email
source:
smtp:
host: ((smtp_host)) # e.g. smtp.gmail.com
port: "587" # this must be a string
username: ((smtp_username))
password: ((smtp_password))
from: ((from_email_address))
to: [ "[email protected]" ] #optional if `params.additional_recipient` is specified
jobs:
- name: Monitor-Expiring-Certificates
plan:
- get: time-trigger
trigger: true
- get: pcf-pipelines-utils
- task: check-expiring-certificates
file: pcf-pipelines-utils/tasks/pcf/certificates/check-expiring-certificates/task.yml
params:
OPSMAN_DOMAIN_OR_IP_ADDRESS: {{opsman_domain}}
OPSMAN_USERNAME: {{opsman_admin_username}}
OPSMAN_PASSWORD: {{opsman_admin_password}}
OPSMAN_CLIENT_ID: {{opsman_client_id}}
OPSMAN_CLIENT_SECRET: {{opsman_client_secret}}
EXPIRATION_TIME_FRAME: 3m # e.g. 10d, 2m, 3w, 1y
- task: notify-of-expiring-certificates
config:
platform: linux
image_resource:
type: docker-image
source:
repository: czero/rootfs
inputs:
- name: expiring_certs
run:
path: bash
args:
- -ec
- |
number_of_exp_conf_certs=$(cat ./expiring_certs/expiring_configurable_certs.json | jq -r '. | length')
number_of_exp_non_conf_certs=$(cat ./expiring_certs/expiring_non_configurable_certs.json | jq -r '. | length')
number_of_exp_ca_certs=$(cat ./expiring_certs/expiring_ca_certs.json | jq -r '. | length')
number_of_exp_dir_trusted_cert=0
if [[ -s ./expiring_certs/expiring_director_trusted_certs.pem ]]; then
number_of_exp_dir_trusted_cert=1
fi
number_of_exp_root_cert=0
if [[ -s ./expiring_certs/expiring_root_cert.pem ]]; then
number_of_exp_root_cert=1
fi
# Configurable certs
if [[ ${number_of_exp_conf_certs} > 0 ]]; then
echo "Configurable certificate(s) expiring. See PCF documentation for more information on how to rotate them:"
echo "https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html#rotate-config"
fi
# Non-Configurable certs
if [[ ${number_of_exp_non_conf_certs} > 0 ]]; then
echo "Non-Configurable certificate(s) expiring. See PCF documentation for more information on how to rotate them:"
echo "https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html#rotate-non-config"
fi
# CA certs
if [[ ${number_of_exp_ca_certs} > 0 ]]; then
echo "CA certificate(s) expiring. See PCF documentation for more information on how to rotate them:"
echo "https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html#rotate-ca"
fi
# Director Trusted certs
if [[ ${number_of_exp_dir_trusted_cert} > 0 ]]; then
echo "Director Trusted certificate(s) expiring. See PCF documentation for more information on how to rotate them:"
echo "https://docs.pivotal.io/pivotalcf/customizing/trusted-certificates.html"
fi
# Ops Mgr root certs
if [[ ${number_of_exp_root_cert} > 0 ]]; then
echo "Ops Mgr root certificate expiring. See PCF documentation for more information on how to rotate it:"
echo "https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html#rotate-root"
fi
total_number_of_exp_certs=$(($number_of_exp_conf_certs+$number_of_exp_non_conf_certs+$number_of_exp_ca_certs+$number_of_exp_root_cert+$number_of_exp_dir_trusted_cert))
if (( ${total_number_of_exp_certs} > 0 )); then
exit 1
else
echo "No expiring certificates found."
fi
on_failure:
put: send-an-email
params:
subject_text: "Action required - PCF certificates are about to expire."
body_text: "PCF certificates are about to expire, see list from ${ATC_EXTERNAL_URL}/teams/main/pipelines/${BUILD_PIPELINE_NAME}/jobs/${BUILD_JOB_NAME}/builds/${BUILD_NAME}. For more information: https://docs.pivotal.io/pivotalcf/security/pcf-infrastructure/api-cert-rotation.html"
resource_types:
- name: email
type: docker-image
source:
repository: pcfseceng/email-resource