From 1fbecbaae2db16341a2b50c14391dfbaba3fc299 Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Tue, 23 May 2023 10:19:40 -0400
Subject: [PATCH] Add kubelet certificates to show-certs.sh

Currently show-certs.sh doesn't show status of kubelet client
and server certificates. This update add them to the utility
scripts.

Test Plan:
PASS: Run show-certs.sh, verify the output contains the status
      of kubelet client and server certificates, as following
 kubelet client  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Automatically by k8s
         Filename       :  /var/lib/kubelet/pki/kubelet-client-current.pem
         Subject        :  O = system:nodes, CN = system:node:controller-0
         Issuer         :  CN = starlingx
         Issue Date     :  Apr 27 18:41:43 2023 GMT
         Expiry Date    :  Apr 26 18:42:00 2024 GMT
         Residual Time  :  340d

 kubelet server  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Manual
         Filename       :  /var/lib/kubelet/pki/kubelet.crt
         Subject        :  CN = controller-0@1682620922
         Issuer         :  CN = controller-0-ca@1682620922
         Issue Date     :  Apr 27 17:42:02 2023 GMT
         Expiry Date    :  Apr 26 17:42:02 2024 GMT
         Residual Time  :  340d

 kubelet CA  CERTIFICATE:
 ------------------------------------------
         Renewal        :  Manual
         Filename       :  /var/lib/kubelet/pki/kubelet.crt
         Subject        :  CN = controller-0-ca@1682620922
         Issuer         :  CN = controller-0-ca@1682620922
         Issue Date     :  Apr 27 17:42:02 2023 GMT
         Expiry Date    :  Apr 26 17:42:02 2024 GMT
         Residual Time  :  340d

Closes-Bug: 2020507
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I8d4c06a63270afb610f10b0a5e3be24f48aa9607
---
 utilities/platform-util/scripts/show-certs.sh | 27 +++++++++++++------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/utilities/platform-util/scripts/show-certs.sh b/utilities/platform-util/scripts/show-certs.sh
index 93f24bfa..9081cca9 100755
--- a/utilities/platform-util/scripts/show-certs.sh
+++ b/utilities/platform-util/scripts/show-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright (c) 2021 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -24,6 +24,8 @@ TMP_TLS_SECRETS_FILE=$(mktemp)
 TMP_GEN_SECRETS_FILE=$(mktemp)
 TMP_SECRET_SECRET_FILE=$(mktemp)
 TMP_GEN_SECRET_FILE=$(mktemp)
+TMP_KUBELET_CA_CERT_FILE=$(mktemp)
+
 
 chmod +r $TMP_SUBCLOUD_SECRETS_FILE
 
@@ -214,6 +216,7 @@ CleanUp () {
     rm -rf $TMP_GEN_SECRETS_FILE
     rm -rf $TMP_SECRET_SECRET_FILE
     rm -rf $TMP_GEN_SECRET_FILE
+    rm -rf $TMP_KUBELET_CA_CERT_FILE
 }
 
 
@@ -358,13 +361,6 @@ fi
 
 PrintCertInfo-fromFile "DC-AdminEp-Server" "/etc/ssl/private/admin-ep-cert.pem" "${GREEN}$AUTO_LABEL${RESET}"
 
-# ETCD CA
-# ETCD certificates are automatically renewed by kube_root_ca_rotation cron job
-PrintCertInfo-fromFile "etcd CA certificate" "/etc/etcd/ca.crt" "${RED}Manual${RESET}"
-PrintCertInfo-fromFile "etcd client certificate" "/etc/etcd/etcd-client.crt" "${GREEN}Automatic${RESET}"
-PrintCertInfo-fromFile "etcd server certificate" "/etc/etcd/etcd-server.crt" "${GREEN}Automatic${RESET}"
-PrintCertInfo-fromFile "etcd apiserver client certificate" "/etc/kubernetes/pki/apiserver-etcd-client.crt" "${GREEN}Automatic${RESET}"
-
 # OpenStack Certificates
 PrintCertInfo-fromFile "openstack" "/etc/ssl/private/openstack/cert.pem" "${RED}Manual${RESET}"
 PrintCertInfo-fromFile "openstack CA" "/etc/ssl/private/openstack/ca-cert.pem" "${RED}Manual${RESET}"
@@ -392,6 +388,21 @@ if [ $? -eq 0 ]; then
 else
     kubeadm alpha certs check-expiration
 fi
+
+# ETCD certificates
+# ETCD certificates are automatically renewed by kube_root_ca_rotation cron job
+PrintCertInfo-fromFile "etcd CA certificate" "/etc/etcd/ca.crt" "${RED}Manual${RESET}"
+PrintCertInfo-fromFile "etcd client certificate" "/etc/etcd/etcd-client.crt" "${GREEN}Automatic${RESET}"
+PrintCertInfo-fromFile "etcd server certificate" "/etc/etcd/etcd-server.crt" "${GREEN}Automatic${RESET}"
+PrintCertInfo-fromFile "etcd apiserver client certificate" "/etc/kubernetes/pki/apiserver-etcd-client.crt" "${GREEN}Automatic${RESET}"
+
+# kubelet client certificates
+PrintCertInfo-fromFile "kubelet client" "/var/lib/kubelet/pki/kubelet-client-current.pem" "${GREEN}Automatically by k8s${RESET}"
+PrintCertInfo-fromFile "kubelet server" "/var/lib/kubelet/pki/kubelet.crt" "${RED}Manual${RESET}"
+
+cat /var/lib/kubelet/pki/kubelet.crt | sed -n '/-----END CERTIFICATE/,/END CERTIFICATE-----$/p' | tail -n +2 > $TMP_KUBELET_CA_CERT_FILE
+PrintCertInfo-fromFile "kubelet CA" "$TMP_KUBELET_CA_CERT_FILE" "${RED}Manual${RESET}" "/var/lib/kubelet/pki/kubelet.crt"
+
 echo
 CleanUp
 exit 0