apiVersion: ops.aiwg.io/v1
kind: OpsCapability
metadata:
  name: cert-check
  labels:
    category: pki
spec:
  description: Check a TLS certificate's expiry date, chain validity, and SANs against a target host and port
  version: "1.0.0"
  inputs:
    - name: hostname
      type: string
      required: true
    - name: port
      type: integer
      required: false
      default: 443
    - name: ca_bundle
      type: path
      required: false
      default: /etc/ssl/certs/ca-certificates.crt
    - name: warn_days
      type: integer
      required: false
      default: 30
  outputs:
    - name: status
      type: string
    - name: subject
      type: string
    - name: issuer
      type: string
    - name: expiry_date
      type: datetime
    - name: days_remaining
      type: integer
    - name: chain_valid
      type: boolean
    - name: sans
      type: list
  target_requirements:
    os: [linux]
    capabilities: [openssl]
  agent: cert-lifecycle-monitor
  idempotent: true
  verification:
    command: "openssl s_client -connect {{ hostname }}:{{ port }} -servername {{ hostname }} </dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer"
    expect: "notAfter="