From 95e774f3107b57448862ed681ad01a0e7a713cb9 Mon Sep 17 00:00:00 2001 From: amantri <ayyappa.mantri@windriver.com> Date: Wed, 2 Aug 2023 16:00:09 -0400 Subject: [PATCH] Fix the output of show-certs script to correlate with the alarms The certificate names in the output of "show-certs.sh" are not correlated with the corresponding certificate expiry/expired alarms, this fix addresses this issue. Test Cases: PASS: Run the "show-certs.sh" on systemcontroller and verify the namespace,cert names in the output for admin-ep certs PASS: Run the "show-certs.sh" on subcloud and verify the namespace,cert names in the output for admin-ep certs PASS: Run the "show-certs.sh" on standalone and verify it works as expected PASS: Run the "show-certs.sh" and verify that "registry.local" changed to "docker_registry" to corelate with the alarm PASS: Run "show-certs.sh" script without -k and verify the filename is shown for ldap,ssl and docker-registry certs PASS: Run "show-certs.sh" with -k and verify namespace/secret name is shown in the output PASS: Run "show-cert.sh -k" and verify in the output that for "cm-cert-manager-webhook-ca" secret the renewal shows as "Auto renewal" Closes-bug: 2029412 Change-Id: Icf08493f19bf529101488a8b5fa4278ed9b325fc Signed-off-by: amantri <ayyappa.mantri@windriver.com> --- utilities/platform-util/scripts/show-certs.sh | 55 +++++++++++++++---- 1 file changed, 44 insertions(+), 11 deletions(-) diff --git a/utilities/platform-util/scripts/show-certs.sh b/utilities/platform-util/scripts/show-certs.sh index 9081cca9..e04b523a 100755 --- a/utilities/platform-util/scripts/show-certs.sh +++ b/utilities/platform-util/scripts/show-certs.sh @@ -83,6 +83,25 @@ PrintCertInfo-fromFile () { FILE=$2 RENEWAL=$3 FILENAME=$4 + DC_ROLE=$(cat /etc/platform/platform.conf | grep 'distributed_cloud_role' | awk -F= '{print $2'}) + + if [ -n "$DC_ROLE" ]; then + CERT_TYPE="" + if [ "$DC_ROLE" == "systemcontroller" ]; then + CERT_TYPE="dc-cert/dc" + elif [ "$DC_ROLE" == "subcloud" ]; then + CERT_TYPE="sc-cert/sc" + fi + + if [ "$NAME" == "DC-AdminEp-RootCA" ]; then + NAME="$NAME ($CERT_TYPE-adminep-root-ca-certificate)" + elif [ "$NAME" == "DC-AdminEp-InterCA" ]; then + NAME="$NAME ($CERT_TYPE-adminep-inter-ca-certificate)" + elif [ "$NAME" == "DC-AdminEp-Server" ]; then + NAME="$NAME ($CERT_TYPE-adminep-certificate)" + fi + fi + if [ ! -f "$FILE" ]; then return fi @@ -120,12 +139,14 @@ PrintCertInfo-fromTlsSecret () { kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o yaml | fgrep tls.crt | fgrep -v "f:tls.crt" | awk '{print $2}' | base64 --decode > $TMP_SECRET_SECRET_FILE - if [ ! -z "$NAME" ]; then - NAME=$(echo $NAME " / ") + if [ -n "$NAME" ]; then + NAME="$NAME ($NAMESPACE/$SECRET) CERTIFICATE: $RESET" + else + NAME="$NAMESPACE/$SECRET CERTIFICATE: $RESET" fi echo - echo "$BOLD" $NAME $NAMESPACE " / " $SECRET " CERTIFICATE:" "$RESET" + echo "$BOLD" $NAME echo "$BOLD" "------------------------------------------" "$RESET" echo -e '\t' "Renewal \t: " $RENEWAL @@ -145,7 +166,11 @@ PrintCertInfo-fromGenericSecret () { NAMESPACE=$2 SECRET=$3 SECRETFILE=$4 - RENEWAL="${RED}Manual${RESET}" + if [[ -z $5 ]]; then + RENEWAL="${RED}Manual${RESET}" + else + RENEWAL=$5 + fi kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null if [ $? -eq 0 ]; then @@ -175,7 +200,7 @@ PrintCertInfo-fromGenericSecret () { echo "$SECRET_VALUE" | base64 --decode > $TMP_GEN_SECRET_FILE echo - echo "$BOLD" $NAME $NAMESPACE " / " $SECRET " / " $SECRETFILE " CERTIFICATE:" "$RESET" + echo "$BOLD" $NAME $NAMESPACE"/"$SECRET"/"$SECRETFILE " CERTIFICATE:" "$RESET" echo "$BOLD" "------------------------------------------" "$RESET" echo -e '\t' "Renewal \t: " "${RENEWAL}" @@ -199,10 +224,14 @@ PrintCertInfo-from-TlsSecret-or-File () { kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null if [ $? -eq 0 ]; then - PrintCertInfo-fromTlsSecret "$NAME" "$NAMESPACE" "$SECRET" - else - PrintCertInfo-fromFile "$NAME" "$FILE" "${RED}Manual${RESET}" + NAME="$NAME ($NAMESPACE/$SECRET)" fi + if [[ $CERT_MANAGER_SECRETS == *$SECRET* ]]; then + RENEWAL="${GREEN}$AUTO_LABEL${RESET}" + else + RENEWAL="${RED}Manual${RESET}" + fi + PrintCertInfo-fromFile "$NAME" "$FILE" "${RENEWAL}" } @@ -316,7 +345,11 @@ if [ "$KUBERNETES_SECRETS_MODE" = "YES" ]; then echo "$MATCHES" > $TMP_GEN_SECRETS_FILE while read line; do KEY_FOUND=$(echo $line | cut -d':' -f1) - PrintCertInfo-fromGenericSecret "" $NAMESPACE $SECRET $KEY_FOUND + if [[ "cm-cert-manager-webhook-ca" == $SECRET ]]; then + PrintCertInfo-fromGenericSecret "" $NAMESPACE $SECRET $KEY_FOUND "${GREEN}$AUTO_LABEL${RESET}" + else + PrintCertInfo-fromGenericSecret "" $NAMESPACE $SECRET $KEY_FOUND + fi done < $TMP_GEN_SECRETS_FILE done @@ -337,10 +370,10 @@ fi PrintCertInfo-from-TlsSecret-or-File "ssl (restapi/gui)" "deployment" "system-restapi-gui-certificate" "/etc/ssl/private/server-cert.pem" # Local Registry Certificate -PrintCertInfo-from-TlsSecret-or-File "registry.local" "deployment" "system-registry-local-certificate" "/etc/ssl/private/registry-cert.crt" +PrintCertInfo-from-TlsSecret-or-File "docker_registry" "deployment" "system-registry-local-certificate" "/etc/ssl/private/registry-cert.crt" # Local Openldap Certificate -PrintCertInfo-from-TlsSecret-or-File "local-openldap" "deployment" "system-openldap-local-certificate" "/etc/openldap/certs/openldap-cert.crt" +PrintCertInfo-from-TlsSecret-or-File "local-openldap" "deployment" "system-openldap-local-certificate" "/etc/ldap/certs/openldap-cert.crt" # Trusted CA Certifiates