starlingx
/
config
Code Issues Proposed changes

Cert-Alarm token caching + other 

Cert-alarm used to request new token for each file. This used to
result in token requests of 3-5 calls per execution. Incorporating
token caching from cert-mon service to reduce the number of requests.

Other changes include:
- Log level change in case of exceptions thrown from FM API. A
  condition where exception is thrown should not just log it at
  a warning level (so that it's not missed), but should have
  a more detailed/traceable log.
- Logic fix for raising alarm at right level. It was noticed that
  alarm was tagged as expired on the day before expiry. This changes
  to wait until the date has actually passed before the certificate
  is marked as expired.
- Safer call to use dict.get() in case of missing annotations of
  cert-manager Certificate resources.

Test Plan:
PASS: Verify that token caching reduces the number of calls
PASS: Verify that an exception thrown from FM API gets a more
      detailed log
PASS: Verify to make sure certificate expiry alarm waits
      until expiry date is passed before 'Expired' alarm is
      raised.
PASS: Verify that if Certificate CRD does not contain
      metadata.annotations, cert-alarm will handle the condition
      and create the annotations without error.

Story: 2008946
Task: 42852

Signed-off-by: Sabeel Ansari <Sabeel.Ansari@windriver.com>
Change-Id: Icfedfdadd43757c1375459e7ee4b4d3d97e8d02f
This commit is contained in:
Sabeel Ansari 2021-10-12 15:11:15 -04:00
parent f74f0bb495
commit 5c42dde784
3 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sysinv/sysinv/sysinv/sysinv/cert_alarm/audit.py
View File

@ -201,12 +201,12 @@ class CertAlarmAudit(object):
self.clear_expiring_soon(cert_name)
self.clear_expired(cert_name)
else:
if days_to_expiry > 0:
self.raise_expiring_soon(cert_name)
else:
if days_to_expiry < 0:
# Expired. Clear expiring-soon & raise expired
self.clear_expiring_soon(cert_name)
self.raise_expired(cert_name)
else:
self.raise_expiring_soon(cert_name)
def raise_expiring_soon(self, cert_name):
self.fm_obj.set_fault(cert_name,

4
sysinv/sysinv/sysinv/sysinv/cert_alarm/fm.py
View File

@ -185,7 +185,7 @@ class FaultApiMgr(object):
(cert_name, expired_flag, state))
self.fm_api.clear_fault(alrm_id, entity_inst_id)
except Exception as e:
LOG.warn(e)
LOG.exception(e)
def get_faults(self, expired_flag):
alrm_id = fm_constants.FM_ALARM_ID_CERT_EXPIRED if expired_flag \
@ -194,7 +194,7 @@ class FaultApiMgr(object):
try:
alarms = self.fm_api.get_faults_by_id(alrm_id)
except Exception as e:
LOG.warn(e)
LOG.exception(e)
return alarms
def collect_all_cert_alarms(self):

16
sysinv/sysinv/sysinv/sysinv/cert_alarm/utils.py
View File

@ -65,6 +65,8 @@ CERT_SNAPSHOT is a dict of dict. Each entry is per certificate.
}
"""
TOKEN_CACHE = certmon_utils.TokenCache('internal')
def get_cert_expiration_date(cert):
"""
@ -217,7 +219,7 @@ def get_annotation_data(secretobj):
if SNAPSHOT_KEY_RENEW_BEFORE in certobj[SPEC]:
mode_metadata[SNAPSHOT_KEY_RENEW_BEFORE] = certobj[SPEC][SNAPSHOT_KEY_RENEW_BEFORE]
certobj_annotation = certobj[METADATA][ANNOTATIONS]
certobj_annotation = certobj[METADATA].get(ANNOTATIONS)
annotation_dict, patch_needed = process_annotation_data(certobj_annotation)
if patch_needed is True:
# Update the annotation
@ -336,16 +338,12 @@ def get_file_mode_metadata(certname, file_loc):
def get_cert_uuid(certname):
ret = 'unknown'
token = certmon_utils._get_token(
CONF.keystone_authtoken.auth_url + '/v3/auth/tokens',
CONF.keystone_authtoken.project_name,
CONF.keystone_authtoken.username,
CONF.keystone_authtoken.password,
CONF.keystone_authtoken.user_domain_name,
CONF.keystone_authtoken.project_domain_name,
CONF.keystone_authtoken.region_name)
global TOKEN_CACHE
token = TOKEN_CACHE.get_token()
if token is None:
LOG.error('Error in retrieving token. Cannot process cert %s' % certname)
return ret
service_type = 'platform'