4 Commits

Author SHA1 Message Date
Charles Short
63c249b9a1 Add debian packaging infrastructure for cert-mon
Add debian packaging infrastructure for cert-mon
to build debian package for cert-mon.

Story: 2009101
Task: 43088

Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: Ic0835ee9838f9bea4bd39a5bd3d3c6a3f3d06edc
2021-09-28 09:47:26 -04:00
Kyle MacLeod
e255896eea Set cert-mon temp dir location to /var/run/cert-mon_tmp
Redirect the k8s python client's use of /tmp to /var/run/cert-mon_tmp
via setting TMPDIR

This is a known issue of kubernetes python client:
https://github.com/kubernetes-client/python/issues/765

The fix is the same as for
https://bugs.launchpad.net/starlingx/+bug/1883599
See commit message there for more details.

Related-Bug: 1883599
Closes-Bug: 1936435

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I0e163bd1b4d5a19f07267dd4cd14bad1b8cb20bb
2021-07-19 17:12:30 -04:00
Don Penney
56981db804 Create cert-mon logfile config
This commit defines the cert-mon logfile config.

In addition, the package directory is reorganized to have a files
subdirectory, and to drop the obsolete PKG-INFO file.

Change-Id: Iec2b39b3b080c823be7f00ee978baa223d05b041
Story: 2008251
Task: 41115
Signed-off-by: Don Penney <don.penney@windriver.com>
2020-10-16 13:50:20 -04:00
Bin Qian
8df382b256 Add cert-mon service
Add new certificate monitoring service.
This is a service to perform monitoring certificates of
admin endpoint,
admin endpoint subcloud intermediate CA, and
admin endpoint DC root CA.
The certificates are managed and renewed by cert-manager.
This change includes monitoring admin endpoint certificate and
apply the new certificate (crt+key) to be used by haproxy for
admin endpoint https.
admin endpoint certificate renew will also replace the private
key. The implementation is a workaround to delete the secret
so that cert-manager regenerate the certificate with new private
key. Currently cert-manager has a bug preventing rekey when
renewing cert.

Monitoring of intermediate CA and DC root CA will be coming soon.

Passed TCs:
1. provisioned cert-mon service on system controller and subcloud
   controller, successfully swact

2. simulate endpoint certificate renew by shorten the endpoint
   certificate expiry time.
   observed the certificate (/etc/ssl/private/admin-ep-cert.pem)
   updated.
   verify admin endpoints accessible (local or remotely)
   verify admin endpoints accessible after haproxy restart

3. simulate an action to fail (hardcoded) and observe the action
   being configured number reattempted before giving up.

Story: 2007347
Task: 40168

Depends-on https://review.opendev.org/#/c/739890
Depends-on https://review.opendev.org/#/c/741511
Depends-on https://review.opendev.org/#/c/741993
Change-Id: Ie341e2e4896c291b7485e95c89c5c3f370ffea00
2020-07-20 14:06:31 -04:00