Skip to content

[tools] Add d8 tools pki certs check for control-plane certificate expiration inspection#355

Merged
ldmonster merged 8 commits into
mainfrom
feature/tools-pki-certs-check
May 21, 2026
Merged

[tools] Add d8 tools pki certs check for control-plane certificate expiration inspection#355
ldmonster merged 8 commits into
mainfrom
feature/tools-pki-certs-check

Conversation

@AmazinMax
Copy link
Copy Markdown
Contributor

@AmazinMax AmazinMax commented May 19, 2026
edited
Loading

Description

Add d8 tools pki certs check to deckhouse-cli to inspect local control-plane certificate expiration using the go_lib/controlplane expiration API from the companion PR deckhouse/deckhouse#19959.

  • registers a new tools -> pki -> certs -> check command tree in d8
  • supports full-scan mode for known control-plane PKI artifacts and kubeconfig client certificates
  • supports single-file inspection for both PEM certificates and kubeconfig files
  • renders kubeadm-like output with separate sections for leaf certificates and certificate authorities
  • adds --kubeconfig-dir for non-standard layouts; by default it resolves to the parent directory of --path
  • does not restart, reconfigure, or otherwise affect critical cluster components; it only adds a local inspection command to d8

Screenshots

Full scan

image

Single-file certificate

image

Single-file kubeconfig (client certificate)

image

@AmazinMax
add check expiration cp certificates command
2e6c4ff 
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax AmazinMax requested a review from ldmonster as a code owner May 19, 2026 11:15
@AmazinMax AmazinMax changed the title add check expiration cp certificates command [tools] Add d8 tools pki certs check for control-plane certificate expiration inspection May 19, 2026
@AmazinMax
chore linter
032c1d6 
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax AmazinMax mentioned this pull request May 19, 2026
Merged
4 tasks
@AmazinMax AmazinMax marked this pull request as draft May 20, 2026 08:31
@AmazinMax
remove externally managed column
14aa520 
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax AmazinMax marked this pull request as ready for review May 20, 2026 08:36
@AmazinMax AmazinMax marked this pull request as draft May 20, 2026 08:41
AmazinMax added 2 commits May 20, 2026 18:18
@AmazinMax
ignore erros on fullScanReport
72ca3b1 
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax
bump controlplane lib version
456624e 
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax AmazinMax marked this pull request as ready for review May 21, 2026 07:23
@ldmonster ldmonster requested a review from Copilot May 21, 2026 07:48
Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new d8 tools pki certs check command subtree to deckhouse-cli to inspect local control-plane PKI and kubeconfig client certificate expiration dates using the github.com/deckhouse/deckhouse/go_lib/controlplane APIs (referenced from the companion Deckhouse PR).

Changes:

  • Registers a new tools -> pki -> certs -> check Cobra command tree in d8.
  • Implements full-scan and single-file inspection modes, rendering kubeadm-like tables for leaf certs and CAs.
  • Adds unit tests for report rendering and core formatting logic, and introduces the go_lib/controlplane dependency (with related dependency bumps).

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
internal/tools/tools.go Wires the new pki tools subtree into the existing d8 tools command.
internal/tools/pki/cmd/pki.go Introduces the tools pki command group.
internal/tools/pki/certs/cmd/certs.go Introduces the tools pki certs command group.
internal/tools/pki/certs/cmd/check.go Implements certs check CLI flags, modes, and user-facing help/errors.
internal/tools/pki/certs/certs.go Implements report building (full-scan + single-file) and kubeadm-like rendering.
internal/tools/pki/certs/certs_test.go Adds test coverage for formatting and report behavior.
go.mod Adds the controlplane library dependency and bumps several related modules.
go.sum Records checksum updates for newly added/bumped dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/tools/tools.go Outdated
Comment thread internal/tools/pki/certs/cmd/check.go Outdated
Comment thread internal/tools/pki/certs/cmd/check.go Outdated
AmazinMax and others added 3 commits May 21, 2026 10:57
@AmazinMax
place subcommand in alphabetical import order
c982df6 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax
prettify error message
cc24fd8 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@AmazinMax
prettify error message [2]
33922ff 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Maxim Mazin <maksim.mazin@flant.com>
@ldmonster ldmonster added the enhancement New feature or request label May 21, 2026
@ldmonster ldmonster merged commit 9d9a6a7 into main May 21, 2026
5 checks passed
@ldmonster ldmonster deleted the feature/tools-pki-certs-check branch May 21, 2026 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ldmonster ldmonster ldmonster approved these changes

Assignees

@AmazinMax AmazinMax

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AmazinMax @ldmonster