Add debian packaging infrastructure for cert-mon
to build debian package for cert-mon.
Story: 2009101
Task: 43088
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Ic0835ee9838f9bea4bd39a5bd3d3c6a3f3d06edc
Redirect the k8s python client's use of /tmp to /var/run/cert-mon_tmp
via setting TMPDIR
This is a known issue of kubernetes python client:
https://github.com/kubernetes-client/python/issues/765
The fix is the same as for
https://bugs.launchpad.net/starlingx/+bug/1883599
See commit message there for more details.
Related-Bug: 1883599
Closes-Bug: 1936435
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I0e163bd1b4d5a19f07267dd4cd14bad1b8cb20bb
This commit defines the cert-mon logfile config.
In addition, the package directory is reorganized to have a files
subdirectory, and to drop the obsolete PKG-INFO file.
Change-Id: Iec2b39b3b080c823be7f00ee978baa223d05b041
Story: 2008251
Task: 41115
Signed-off-by: Don Penney <don.penney@windriver.com>
Add new certificate monitoring service.
This is a service to perform monitoring certificates of
admin endpoint,
admin endpoint subcloud intermediate CA, and
admin endpoint DC root CA.
The certificates are managed and renewed by cert-manager.
This change includes monitoring admin endpoint certificate and
apply the new certificate (crt+key) to be used by haproxy for
admin endpoint https.
admin endpoint certificate renew will also replace the private
key. The implementation is a workaround to delete the secret
so that cert-manager regenerate the certificate with new private
key. Currently cert-manager has a bug preventing rekey when
renewing cert.
Monitoring of intermediate CA and DC root CA will be coming soon.
Passed TCs:
1. provisioned cert-mon service on system controller and subcloud
controller, successfully swact
2. simulate endpoint certificate renew by shorten the endpoint
certificate expiry time.
observed the certificate (/etc/ssl/private/admin-ep-cert.pem)
updated.
verify admin endpoints accessible (local or remotely)
verify admin endpoints accessible after haproxy restart
3. simulate an action to fail (hardcoded) and observe the action
being configured number reattempted before giving up.
Story: 2007347
Task: 40168
Depends-on https://review.opendev.org/#/c/739890
Depends-on https://review.opendev.org/#/c/741511
Depends-on https://review.opendev.org/#/c/741993
Change-Id: Ie341e2e4896c291b7485e95c89c5c3f370ffea00