Add rotation procedure to expiring-certificates
#583
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An upcoming version of Ops Manager 2.10 will start including two new fields with the `/api/v0/deployed/certificates` endpoint; rotation_procedure_name and rotation_procedure_url. These fields will be on every certificate returned, and represent the rotation procedure used to rotate that particular certificate. The text output for the `om expiring-certificates` command has been reworked when this data is available to group certificates by procedure because in most cases, following a single procedure will rotate all certificates for that procedure at once; that is, instead of running that procedure once for each certificate separately. The new output looks similar to the following: ``` Getting expiring certificates... Found expiring certificates in the foundation: One or more certificates will expire in 89 days. Please refer to the certificate rotation procedures below. To optimize deployment time, please rotate expiring CA certificates prior to any leaf certificates. Services TLS CA Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html#services-rotation) credhub: /services/tls_ca: expiring on 28 Feb 23 13:57 UTC Identity Provider SAML Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-saml-ca.html) cf-625e965c186c7b029061: .uaa.service_provider_key_credentials: expiring on 29 May 22 12:57 UTC Standard CA Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-cas-and-leaf-certs.html) ops_manager: .properties.nats_client_ca.c8b520555b0bc0a9f9f7: expiring on 27 Feb 26 13:57 UTC .properties.root_ca.c8b520555b0bc0a9f9f7: expiring on 28 Feb 23 13:57 UTC cf-625e965c186c7b029061: /opsmgr/bosh_dns/tls_ca: expiring on 27 Feb 26 14:40 UTC /p-bosh/cf-625e965c186c7b029061/diego-instance-identity-intermediate-ca-2-7: expiring on 28 Feb 24 14:40 UTC /cf/diego-instance-identity-root-ca-2-6: expiring on 27 Feb 25 14:40 UTC Standard Configurable Leaf Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-configurable-certs.html) cf-625e965c186c7b029061: .properties.networking_poe_ssl_certs[0].certificate: expiring on 29 May 22 12:57 UTC Standard Non-Configurable Leaf Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-non-configurable-certs.html) p-bosh-38683bbbab412b152fad: .properties.director_ssl: expiring on 28 Feb 24 14:06 UTC .properties.uaa_ssl: expiring on 28 Feb 24 14:06 UTC ... cf-625e965c186c7b029061: .properties.auctioneer_client_cert: expiring on 28 Feb 24 14:06 UTC .properties.auctioneer_server_cert: expiring on 28 Feb 24 14:06 UTC ... 2022/02/28 14:47:46 found expiring certificates in the foundation ``` If the new API fields are blank, then it is assumed that `om` is targeted at an older version of Ops Manager and the previous output format is used instead. [#181158588] Update om CLI to output rotation procedures Signed-off-by: Brian Upton <bupton@vmware.com> Signed-off-by: Camila Londoño <londonoc@vmware.com> Signed-off-by: Long Nguyen <nguyenlo@vmware.com>
|
We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story. The labels on this github issue will be updated when the story is started. |
|
The corresponding changes to the Ops Manager API are available here: https://github.com/pivotal-cf/ops-manager/pull/425 We applied that change as a patch to a Toolsmith TAS environment, then built the |
jaristiz
approved these changes
Mar 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
An upcoming version of Ops Manager 2.10 will start including two new
fields with the
/api/v0/deployed/certificatesendpoint;rotation_procedure_name and rotation_procedure_url. These fields will be
on every certificate returned, and represent the rotation procedure used
to rotate that particular certificate.
The text output for the
om expiring-certificatescommand has beenreworked when this data is available to group certificates by procedure
because in most cases, following a single procedure will rotate all
certificates for that procedure at once; that is, instead of running
that procedure once for each certificate separately.
The new output looks similar to the following:
If the new API fields are blank, then it is assumed that
omistargeted at an older version of Ops Manager and the previous output
format is used instead.
[#181158588] Update om CLI to output rotation procedures
Signed-off-by: Brian Upton bupton@vmware.com
Signed-off-by: Camila Londoño londonoc@vmware.com
Signed-off-by: Long Nguyen nguyenlo@vmware.com