starlingx/distcloud
Code Issues Proposed changes
e422731760
distcloud/distributedcloud/dcmanager/audit
History
Yuxing Jiang d2983e8e3c Implement k8s root CA audit based on cert 
The existing Kubernetes root CA audit in distributed cloud is based on
alarms about the certificate expiry on the subcloud.

This commit introduces a database column to record if a subcloud is
rehomed from another distributed cloud.

On the top of the rehomed record, this commit switches the audit
method based on the certificate comparison between the central cloud
and the subcloud, and applies this kind of audit against the subclouds
rehomed from another distributed cloud and have a software version
supports the query of the Kubernetes root CA certificate's ID
introduced in: Ie78121d0c21d2c6033c8b5d4919e251fc4d98050.

To support the subclouds with a lower patch level which don't have the
sysinv API to query the certificate ID, the Kubernetes root CA audit
of those subclouds will still use the alarm based audit.

Test plan:
1. Passed - build an image and deploy an AIODX central cloud(CC1)
   using the new image, w/o the change:
   Ie9e783fc44308bcce4d19985c1089eaf77901901.
2. Passed - deploy an AIOSX subcloud(SC1), verify the subcloud's
   rehomed column is False after deployment, verify the subcloud's
   kube-root-ca can be in-sync after being managed.
3. Passed - deploy another AIOSX subcloud(SC2) from another
   distributed cloud(CC2). Rehome the subcloud to CC1, verify the
   subcloud's rehomed column is True, verify the subcloud's
   kube-root-ca is out-of-sync after being managed.
4. Passed - manually delete the k8s root CA cert from the filesystem
   of SC2, verify kube-root-ca audit against SC2 is skipped.
5. Passed - redeploy SC2, verify its rehomed column is False, verify
   it kube-root-ca is in-sync after being managed.
6. Passed - deploy an AIOSX subcloud(SC3) with stx6 load as inactive
   load in CC2, verify its kube-root-ca  in-sync after the
   deployment.

Note:
1. Rehome stx6 based subcloud to central cloud, its kube-root-ca will
   be in-sync, but the Kubernetes root CA cert is different between
   the subcloud and the central cloud, this behavior aligns with the
   rehoming result in stx6.

Story: 2010852
Task: 49100

Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I8accfa316a81841da30ccafdbd16412ff55bc196
2023-11-24 17:02:29 -05:00
..
__init__.py Move subcloud audit to separate process 2020-05-14 09:34:23 -05:00
alarm_aggregation.py Remove standard WR License notice from StarlingX distributedcloud 2021-12-23 19:55:09 +00:00
auditor.py Subcloud Name Reconfiguration 2023-09-07 10:30:06 -03:00
firmware_audit.py Subcloud Name Reconfiguration 2023-09-07 10:30:06 -03:00
kube_rootca_update_audit.py Implement k8s root CA audit based on cert 2023-11-24 17:02:29 -05:00
kubernetes_audit.py Subcloud Name Reconfiguration 2023-09-07 10:30:06 -03:00
patch_audit.py Update dcmanager audit to use usm API 2023-11-01 11:05:27 +00:00
rpcapi.py Update dcmanager audit to use usm API 2023-11-01 11:05:27 +00:00
service.py Update dcmanager audit to use usm API 2023-11-01 11:05:27 +00:00
subcloud_audit_manager.py Update dcmanager audit to use usm API 2023-11-01 11:05:27 +00:00
subcloud_audit_worker_manager.py Implement k8s root CA audit based on cert 2023-11-24 17:02:29 -05:00
utils.py Remove standard WR License notice from StarlingX distributedcloud 2021-12-23 19:55:09 +00:00