Merge pull request #496 from jayfranco999/updatecli-cert-exp-warning

chore(updatecli): add `OpenVPN` certificate expiration tracking manifest

Author: dduportal

updatecli/scripts/cert-expiry-check.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Check if certificate expires within 30 days
+set -eu -o pipefail
+
+currentexpirydate="${1}"
+
+DATE_BIN='date'
+## non GNU operating system
+if command -v gdate >/dev/null 2>&1; then
+    DATE_BIN='gdate'
+fi
+
+command -v "${DATE_BIN}" >/dev/null 2>&1 || { echo "ERROR: ${DATE_BIN} command not found. Exiting."; exit 1; }
+
+currentdateepoch=$("${DATE_BIN}" --utc "+%s" 2>/dev/null)
+expirydateepoch=$("${DATE_BIN}" "+%s" -d "${currentexpirydate}")
+datediff=$(((expirydateepoch-currentdateepoch)/(60*60*24))) # diff per days
+
+echo "Certificate expires in ${datediff} days"
+
+if [ "${datediff}" -lt 30 ]; then # Alert 30 days before expiration
+    echo "Certificate expiring soon - action required"
+    exit 0
+else
+    echo "Certificate not expiring soon"
+    exit 1
+fi

updatecli/scripts/cert-expiry-extract.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+# Extract expiration date from an OpenVPN certificate
+set -eu -o pipefail
+
+cert_file="${1}"
+
+if [ ! -f "${cert_file}" ]; then
+    echo "ERROR: Certificate file ${cert_file} not found"
+    exit 1
+fi
+
+# Extract the notAfter date from the certificate
+# Output format: notAfter=Jan 15 12:34:56 2026 GMT
+expiry_raw=$(openssl x509 -enddate -noout -in "${cert_file}" 2>/dev/null | cut -d= -f2)
+
+if [ -z "${expiry_raw}" ]; then
+    echo "ERROR: Could not extract expiration date from ${cert_file}"
+    exit 1
+fi
+
+# Convert to ISO 8601 format for easier parsing
+DATE_BIN='date'
+if command -v gdate >/dev/null 2>&1; then
+    DATE_BIN='gdate'
+fi
+
+command -v "${DATE_BIN}" >/dev/null 2>&1 || { echo "ERROR: ${DATE_BIN} command not found. Exiting."; exit 1; }
+
+# Convert to ISO format: YYYY-MM-DDTHH:MM:SSZ
+expiry_iso=$("${DATE_BIN}" --utc -d "${expiry_raw}" "+%Y-%m-%dT%H:%M:%SZ" 2>/dev/null)
+
+echo "${expiry_iso}"

updatecli/updatecli.d/openvpn-cert-expiration.tpl

@@ -0,0 +1,69 @@
+{{- range $username := splitList "," .certificates }}
+---
+# yamllint disable rule:line-length
+name: "Check VPN certificate expiration for {{ $username }}"
+
+scms:
+  default:
+    kind: github
+    spec:
+      user: "{{ $.github.user }}"
+      email: "{{ $.github.email }}"
+      owner: "{{ $.github.owner }}"
+      repository: "{{ $.github.repository }}"
+      token: "{{ requiredEnv $.github.token }}"
+      branch: "{{ $.github.branch }}"
+
+sources:
+  certExpiryDate:
+    name: "Extract expiration date from {{ $username }}'s certificate"
+    kind: shell
+    spec:
+      command: bash ./updatecli/scripts/cert-expiry-extract.sh cert/pki/issued/{{ $username }}.crt
+      environments:
+        - name: PATH
+
+conditions:
+  checkIfExpiringSoon:
+    name: "Check if certificate expires within 30 days"
+    kind: shell
+    sourceid: certExpiryDate
+    spec:
+      command: bash ./updatecli/scripts/cert-expiry-check.sh
+      environments:
+        - name: PATH
+
+targets:
+  markCertExpiring:
+    name: "Mark {{ $username }}'s certificate as expiring"
+    kind: file
+    spec:
+      file: cert/pki/issued/{{ $username }}.crt.expiring
+      content: |
+        Certificate for {{ $username }} expires on {{ source "certExpiryDate" }}.
+        Please renew your VPN certificate as soon as possible.
+    scmid: default
+
+actions:
+  default:
+    kind: github/pullrequest
+    scmid: default
+    spec:
+      draft: true
+      title: "[DO NOT MERGE] VPN Certificate Expiring Soon: {{ $username }}"
+      description: |
+        @{{ $username }} your VPN certificate will expire on **{{ source "certExpiryDate" }}**.
+
+        ## Action Required
+
+        Your VPN certificate expires in less than **30 days**.
+        Please renew it to avoid losing VPN access.
+
+        ---
+        **Note:** This is an automated notification PR.
+        It is not meant to be merged and can be closed once acknowledged.
+      labels:
+        - vpn
+        - certificate-expiration
+        - action-required
+{{- end }}

updatecli/values.yaml

@@ -35,3 +35,5 @@ networks:
         resolve_dns: true
       dockerhubmirror.azurecr.io:
         resolve_dns: true
+
+certificates: abayer,danielbeck,dduportal,hlemeur,jay_jenkins,kevingrdj,kohsuke,krisstern,markewaite,notmyfault,smerle,timja,wfollonier