#!/usr/bin/env python3 | |
import base64 | |
import argparse | |
from datetime import datetime, timedelta | |
from cryptography import x509 | |
from cryptography.hazmat.backends import default_backend | |
from kubernetes import client, config | |
config.load_kube_config() | |
v1 = client.CoreV1Api() | |
parser = argparse.ArgumentParser(description="TLS secret checker") | |
parser.add_argument('--delete', dest='delete', | |
type=bool, const=True, default=False, nargs='?') | |
def main(): | |
namespaces = v1.list_namespace() | |
for namespace in namespaces.items: | |
if namespace.metadata.name.startswith("tmc-"): | |
check_secrets_in_namespace(namespace.metadata.name) | |
def check_secrets_in_namespace(namespace): | |
for secret in v1.list_namespaced_secret(namespace).items: | |
if secret.metadata.annotations is not None and \ | |
secret.metadata.annotations.get("cert-manager.io/issuer-name") \ | |
== "dev" \ | |
and \ | |
secret.metadata.annotations.get("cert-manager.io/issuer-kind") \ | |
== "Issuer": | |
ca_cert = base64.b64decode(secret.data.get("ca.crt")) | |
cert = x509.load_pem_x509_certificate(ca_cert, default_backend()) | |
timeleft = cert.not_valid_after - datetime.now() | |
threshold = timedelta(days=14) | |
if timeleft < threshold: | |
print(f"namespace: {secret.metadata.namespace}, \ | |
secret_name: {secret.metadata.name}, \ | |
time_left: {timeleft}") | |
args = parser.parse_args() | |
if args.delete: | |
print(f"deleting {secret.metadata.name} in \ | |
{secret.metadata.namespace}") | |
v1.delete_namespaced_secret(secret.metadata.name, | |
secret.metadata.namespace) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment