starlingx
/
utilities
Code Issues Proposed changes

Fix OIDC CA cert info in the show-certs.sh output 

The OIDC CA cert "issuer_root_ca_secret" renewal shows as "Manual"
instead of "Automatic" when the corresponding secret exist and
managed by cert-manager, this fix addresses this issue.

Test Cases:
PASS: Apply oidc app and run show-certs script and verify all
      oidc cert info is properly displayed
PASS: Apply WRA app and run show-certs script and verify all
      oidc cert info is properly displayed
PASS: Run show-certs.sh script info on DC system and verify all
      the certs info is properly displayed
PASS: Run show-certs.sh with -k option and verify that all the
      certificate info is properly displayed

Closes-Bug: 2052327

Change-Id: Ieef047d5143fce522bf534d5d9ac663e9293e036
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
This commit is contained in:
amantri 2024-02-02 15:03:15 -05:00
parent a272f7c247
commit 6762425bc4
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
utilities/platform-util/scripts/show-certs.sh
View File

@ -137,7 +137,7 @@ PrintCertInfo-fromTlsSecret () {
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null
if [ $? -eq 0 ]; then
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o yaml | fgrep tls.crt | fgrep -v "f:tls.crt" | awk '{print $2}' | base64 --decode > $TMP_SECRET_SECRET_FILE
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o jsonpath='{.data.tls\.crt}' | base64 --decode > $TMP_SECRET_SECRET_FILE
if [ -n "$NAME" ]; then
NAME="$NAME ($NAMESPACE/$SECRET) CERTIFICATE: $RESET"
@ -172,10 +172,13 @@ PrintCertInfo-fromGenericSecret () {
RENEWAL=$5
fi
ESCAPEDSTRING="${SECRETFILE/./\\.}"
JSONPATH="{.data.${ESCAPEDSTRING}}"
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null
if [ $? -eq 0 ]; then
SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o yaml | fgrep " $SECRETFILE:" | awk '{print $2}')
SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o jsonpath=$JSONPATH)
if ! IsACertificate $SECRET_VALUE; then
return
@ -188,7 +191,14 @@ PrintCertInfo-fromGenericSecret () {
elif [[ "ext-ca.crt" == $SECRETFILE ]]; then
TLS_SECRET_NAME="mon-elastic-services-extca-crt"
fi
TLS_SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $TLS_SECRET_NAME -o yaml 2> /dev/null | fgrep " tls.crt" | awk '{print $2}')
TLS_SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $TLS_SECRET_NAME -o jsonpath='{.data.tls\.crt}')
if [[ $TLS_SECRET_VALUE == $SECRET_VALUE && $CERT_MANAGER_SECRETS == *$TLS_SECRET_NAME* ]]; then
RENEWAL="${GREEN}$AUTO_LABEL${RESET}"
fi
fi
if [[ "OIDC CA" == $NAME ]]; then
TLS_SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o jsonpath='{.data.tls\.crt}')
if [[ $TLS_SECRET_VALUE == $SECRET_VALUE && $CERT_MANAGER_SECRETS == *$TLS_SECRET_NAME* ]]; then
RENEWAL="${GREEN}$AUTO_LABEL${RESET}"
fi