-
Notifications
You must be signed in to change notification settings - Fork 6
/
ddayconfig.yml
267 lines (238 loc) · 10.2 KB
/
ddayconfig.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
#This is a doomsday server configuration manifest
# backends: (list) The list of backends to ingest certificates from. Each entry
# in the backends list is a hash that looks like
# - type: <backend-type>
# name: <backend-name>
# properties:
# backend-specific-property: example
#
# type: (string, enum) Currently supported types are "vault", "opsmgr",
# "credhub", and "tlsclient".
#
# name: (string) Attached to objects returned from the doomsday API to
# identify where each item came from. Defaults to the backend `type` string.
#
# refresh_interval: (number) How many minutes between refreshing information from
# this backend. Defaults to 30
#
# properties (hash): Backend-specific. You should look below for how to
# configure each one.
backends:
# Hashicorp's Vault. https://www.vaultproject.io/
- type: vault
name: myvault
refresh_interval: 30
properties:
# (string) The URL where the Vault API is located
address: https://127.0.0.1:443
# (bool) (default: false) This will cause the Vault client to not check
# for proper subject alternative names or a proper chain of trust on the
# certificate returned by the Vault. Handy if you need it, but not
# recommended for production use. If the certificate served by the Vault
# is not trusted by your system, consider using the `ca_certs` option.
#insecure_skip_verify: true
# (string) If set, the Vault client will exclusively use the following certs
# as its trusted certificate pool when performing a TLS handshake to the
# targeted Vault. If this is not set, then the client will use the system's
# trusted certificate pool.
#ca_certs: |
# -----BEGIN CERTIFICATE-----
# I'm a cert
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# I'm another cert
# -----END CERTIFICATE-----
# (string) This is the path to begin looking for Vault secrets. Everything under this
# path will be searched. Defaults to "secret/" if not present.
base_path: "secret/"
# (boolean) If set to true, requests to and responses from the Vault will
# be logged to stdout. You probably only want this if you're debugging.
#trace: true
# (string) An optional Vault enterprise namespace to use for all Vault
# requests.
#namespace: "my-namespace"
# (hash) Options for authorizing to Vault
# Must either provide "token" for Token auth or "role_id" and "secret_id" for AppRole
# If a token is given, it should either have no expiry or be renewable.
# If AppRole credentials are given, the token that is generated should be renewable.
auth:
# (string) A Vault authentication token.
token: 01234567-89ab-cdef-0123-456789abcdef
# (string) An AppRole role ID
# role_id: 01234567-89ab-cdef-0123-456789abcdef
# (string): An AppRole secret ID
# secret_id: s.ImaSecret
# Checks certs of configured URLs by connecting over TCP, attempting a TLS
# handshake, and then returning the served certificate
- type: tlsclient
name: mytlsclient
properties:
# (list) A list of URLs to connect to. The scheme of the URLs is optional,
# but will be ignored. If no port is provided on a host, 443 will be used
# by default.
hosts:
# (string) The hostname to track
- starkandwayne.com
- shieldproject.io
- genesisproject.io
# (number) (default: 20) How many seconds to wait before giving up on a host.
#timeout: 20
# Pivotal Ops Manager. https://network.pivotal.io/products/ops-manager
- type: opsmgr
name: myopsmanager
properties:
# (string) The URL of the Ops Manager API location.
address: https://127.0.0.1:443
# (bool) (default: false) This will cause the Ops Manager and UAA clients to
# not check for proper subject alternative names or a proper chain of trust
# on the certificate returned by those respective servers. Handy if you
# need it, but not recommended for production use. If the certificate
# served by the Ops Manager and/or UAA is not trusted by your system,
# consider using the `ca_certs` option.
#insecure_skip_verify: true
# (string) If set, the Ops Manager and UAA client will exclusively use the
# following certs as its trusted certificate pool when performing a TLS
# handshake to the targeted Ops Manager and associated UAA servers. If this
# is not set, then the client will use the system's trusted certificate
# pool.
#ca_certs: |
# -----BEGIN CERTIFICATE-----
# I'm a cert
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# I'm another cert
# -----END CERTIFICATE-----
# (hash) Options for authorizing to the UAA attached to your Ops Manager
auth:
# (string) The grant type with which you are going to authenticate to the UAA
# One of "password" or "client_credentials". If it's "client_credentials",
# provide "client_id" and "client_secret". If it's "password", then provide
# "client_id", "client_secret", "username", and "password"
grant_type: password
# (string) The id of the OAuth client
client_id: opsman
# (string) The secret of the OAuth client
client_secret: ""
# (string) The username of the user to use (if doing password grant type)
username: admin
# (string) The password of the user to use (if doing password grant type)
password: password
# Pivotal's Credhub. https://github.com/cloudfoundry-incubator/credhub
# An implementation of the BOSH Config Server API.
- type: credhub
name: mycredhub
properties:
# (string) The URL where the Credhub API is located
address: https://127.0.0.1:8844
# (bool) (default: false) This will cause the CredHub and UAA clients to
# not check for proper subject alternative names or a proper chain of trust
# on the certificate returned by those respective servers. Handy if you
# need it, but not recommended for production use. If the certificate
# served by the Credhub and/or UAA is not trusted by your system, consider
# using the `ca_certs` option.
#insecure_skip_verify: true
# (string) If set, the CredHub and UAA client will exclusively use the
# following certs as its trusted certificate pool when performing a TLS
# handshake to the targeted CredHub and associated UAA servers. If this is
# not set, then the client will use the system's trusted certificate pool.
#ca_certs: |
# -----BEGIN CERTIFICATE-----
# I'm a cert
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# I'm another cert
# -----END CERTIFICATE-----
# (hash) Options for authorizing to the UAA attached to your Credhub.
# This is the same as the Ops Manager auth options. Check that out.
auth:
grant_type: password
client_id: credhub_cli
client_secret: ""
username: credhub-cli
password: password
# (hash) Configuration for the doomsday server API
server:
# (number) (default: 8111)
port: 8111
#
# (hash) If present, this have Doomsday's API listen with TLS.
tls:
# (string) An x509 certificate to serve from the API
cert: |
-----BEGIN CERTIFICATE-----
fAKe
-----END CERTIFICATE-----
# (string) The RSA key used to sign `cert`
key: |
-----BEGIN RSA PRIVATE KEY-----
fAKe
-----END RSA PRIVATE KEY-----
# Authentication options for the doomsday API. This may differ depending on
# the auth type you're configuring, but at the top level, it looks like:
#
# type: <auth-type>
# properties:
# backend: specific
#
# Available auth types are `none` and `userpass`
# Userpass is an in-memory auth method that accepts a static username and
# password and, if correct, hands back a session bearer token which expires.
# The `none` type has no properties. You may leave the properties hash absent
# in that case.
auth:
#type: none
type: userpass
properties:
# (string) The username to accept logins for
username: admin
# (string) The password to accept logins for
password: password
# (number) How many minutes a session token lasts before it is invalid.
timeout: 30
# (bool) If true, a session token has its validity length refreshed to
# the configured timeout when it is used, so long as it is used while
# still valid.
refresh: true
notifications:
# (string) The external URL for this doomsday server. It will be included in
# notification messages
doomsday_url: http://toms.laptop
# (hash) A notification backend is something that receives notifications
backend:
# (string, enum) The type of notification backend.
# Acceptable values are slack or shout.
# Slack is... well.. Slack (slack.com)
# Shout is github.com/jhunt/shout, a man-in-the-middle notification handler
type: shout
# (hash) backend-type specific notification options
properties:
# (string) The url of the shout server
url: "http://localhost:7109"
# (string) The username to authenticate to the shout server with
username: admin
# (string) The password to authenticate to the shout server with
password: password
# (string) The topic to notify for (this is an identifier for this doomsday server in shout)
topic: doomsday
## Notifications through incoming webhooks to Slack.
#type: slack
#properties:
# # (string) The incoming webhook to send the notifications to
# webhook: https://hooks.slack.com/services/ABCDEFGHI/JKLMNOPQR/StUvWxYz12345678910aBcDeFg
# # (bool) Whether to send notifications when there are no certs expiring soon
# notify_ok: false
# (hash) A schedule for when to check/send notifications
schedule:
# (string, enum) The type of notification schedule.
# Acceptable values are constant and cron
# constant is effectively "every x minutes"
# cron is based on cron schedules, allowing for more complex notification intervals
type: constant
# (hash) schedule-type-specific properties
properties:
# # (number) The number of minutes to wait between notifications
interval: 30
#type: cron
#properties:
# # A crontab spec, in the form of minute, hour, day of month, month, and day of week
# spec: * 12 * * *