Merge pull request #501 from dduportal/helpdesk-4951

chore(updatecli) track CRL expiration

Author: dduportal

updatecli/scripts/cert-expiry-extract.sh

@@ -1,17 +1,31 @@
 #!/bin/bash
 # Extract expiration date from an OpenVPN certificate
-set -eu -o pipefail
+set -eux -o pipefail
 
 cert_file="${1}"
+cert_type="${2:-x509}"
 
 if [ ! -f "${cert_file}" ]; then
     echo "ERROR: Certificate file ${cert_file} not found"
     exit 1
 fi
 
-# Extract the notAfter date from the certificate
-# Output format: notAfter=Jan 15 12:34:56 2026 GMT
-expiry_raw=$(openssl x509 -enddate -noout -in "${cert_file}" 2>/dev/null | cut -d= -f2)
+case "${cert_type}" in
+    "x509")
+        # Extract the notAfter date from the certificate
+        # Output format: notAfter=Jan 15 12:34:56 2026 GMT
+        expiry_raw="$(openssl x509 -enddate -noout -in "${cert_file}" 2>/dev/null | cut -d= -f2)"
+        ;;
+    "crl")
+        # Extract the nextUpdate date from the certificate
+        # Output format: nextUpdate=Jun  1 10:20:48 2026 GMT
+        expiry_raw="$(openssl crl --nextupdate -noout -in "${cert_file}" 2>/dev/null | cut -d= -f2)"
+        ;;
+    *)
+        echo "ERROR: unsupported certificate type ${cert_type}".
+        exit 1
+        ;;
+esac
 
 if [ -z "${expiry_raw}" ]; then
     echo "ERROR: Could not extract expiration date from ${cert_file}"

updatecli/updatecli.d/crl-expiration.yaml

@@ -0,0 +1,58 @@
+---
+name: Check VPN CRL expiration
+
+scms:
+  default:
+    kind: github
+    spec:
+      user: "{{ $.github.user }}"
+      email: "{{ $.github.email }}"
+      owner: "{{ $.github.owner }}"
+      repository: "{{ $.github.repository }}"
+      token: "{{ requiredEnv $.github.token }}"
+      branch: "{{ $.github.branch }}"
+
+sources:
+  crlExpiryDate:
+    name: Extract CRL expiration date
+    kind: shell
+    spec:
+      command: bash ./updatecli/scripts/cert-expiry-extract.sh ./cert/pki/crl.pem crl
+
+conditions:
+  checkIfExpiringSoon:
+    name: Check if certificate expires within 30 days
+    kind: shell
+    sourceid: crlExpiryDate
+    spec:
+      command: bash ./updatecli/scripts/cert-expiry-check.sh
+
+targets:
+  markCertExpiring:
+    name: Mark CRL certificate as expiring
+    kind: file
+    disablesourceinput: true
+    spec:
+      file: ./cert/pki/crl.pem
+      content: |
+        Certificate Revocation List expires on {{ source "crlExpiryDate" }}.
+        Please renew the VPN CRL following https://github.com/jenkins-infra/docker-openvpn?tab=readme-ov-file#howto-renew-certificate-revocation-list.
+    scmid: default
+
+actions:
+  default:
+    kind: github/pullrequest
+    scmid: default
+    spec:
+      draft: true
+      title: "[DO NOT MERGE] VPN CRL Expiring Soon"
+      description: |
+        @jenkins-infra/jenkins-infra-sre-team The VPN CRL will expire on **{{ source "crlExpiryDate" }}**.
+
+        ## Action Required
+
+        Please create an issue on the helpdesk and follow instructions from https://github.com/jenkins-infra/docker-openvpn?tab=readme-ov-file#howto-renew-certificate-revocation-list.
+
+        ---
+        **Note:** This is an automated notification PR.
+        It is not meant to be merged and can be closed once acknowledged.