From 95e774f3107b57448862ed681ad01a0e7a713cb9 Mon Sep 17 00:00:00 2001
From: amantri <ayyappa.mantri@windriver.com>
Date: Wed, 2 Aug 2023 16:00:09 -0400
Subject: [PATCH] Fix the output of show-certs script to correlate with the
 alarms

The certificate names in the output of "show-certs.sh" are not
correlated with the corresponding certificate expiry/expired
alarms, this fix addresses this issue.

Test Cases:
PASS: Run the "show-certs.sh" on systemcontroller and verify the
      namespace,cert names in the output for admin-ep certs
PASS: Run the "show-certs.sh" on subcloud and verify the
      namespace,cert names in the output for admin-ep certs
PASS: Run the "show-certs.sh" on standalone and verify it works
      as expected
PASS: Run the "show-certs.sh" and verify that "registry.local"
      changed to "docker_registry" to corelate with the alarm
PASS: Run "show-certs.sh" script without -k and verify the
      filename is shown for ldap,ssl and docker-registry certs
PASS: Run "show-certs.sh" with -k and verify namespace/secret
      name is shown in the output
PASS: Run "show-cert.sh -k" and verify in the output that for
      "cm-cert-manager-webhook-ca" secret the renewal shows as
      "Auto renewal"

Closes-bug: 2029412

Change-Id: Icf08493f19bf529101488a8b5fa4278ed9b325fc
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
---
 utilities/platform-util/scripts/show-certs.sh | 55 +++++++++++++++----
 1 file changed, 44 insertions(+), 11 deletions(-)

diff --git a/utilities/platform-util/scripts/show-certs.sh b/utilities/platform-util/scripts/show-certs.sh
index 9081cca9..e04b523a 100755
--- a/utilities/platform-util/scripts/show-certs.sh
+++ b/utilities/platform-util/scripts/show-certs.sh
@@ -83,6 +83,25 @@ PrintCertInfo-fromFile () {
     FILE=$2
     RENEWAL=$3
     FILENAME=$4
+    DC_ROLE=$(cat /etc/platform/platform.conf | grep 'distributed_cloud_role' | awk -F= '{print $2'})
+
+    if [ -n "$DC_ROLE" ]; then
+        CERT_TYPE=""
+        if [ "$DC_ROLE" == "systemcontroller" ]; then
+            CERT_TYPE="dc-cert/dc"
+        elif [ "$DC_ROLE" == "subcloud" ]; then
+            CERT_TYPE="sc-cert/sc"
+        fi
+
+        if [ "$NAME" == "DC-AdminEp-RootCA" ]; then
+            NAME="$NAME ($CERT_TYPE-adminep-root-ca-certificate)"
+        elif [ "$NAME" == "DC-AdminEp-InterCA" ]; then
+            NAME="$NAME ($CERT_TYPE-adminep-inter-ca-certificate)"
+        elif [ "$NAME" == "DC-AdminEp-Server" ]; then
+            NAME="$NAME ($CERT_TYPE-adminep-certificate)"
+        fi
+    fi
+
     if [ ! -f "$FILE" ]; then
         return
     fi
@@ -120,12 +139,14 @@ PrintCertInfo-fromTlsSecret () {
 
         kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o yaml | fgrep tls.crt | fgrep -v "f:tls.crt" | awk '{print $2}' | base64 --decode > $TMP_SECRET_SECRET_FILE
 
-        if [ ! -z "$NAME" ]; then
-            NAME=$(echo $NAME " / ")
+        if [ -n "$NAME" ]; then
+            NAME="$NAME ($NAMESPACE/$SECRET) CERTIFICATE: $RESET"
+        else
+            NAME="$NAMESPACE/$SECRET CERTIFICATE: $RESET"
         fi
 
         echo
-        echo "$BOLD" $NAME $NAMESPACE " / " $SECRET " CERTIFICATE:" "$RESET"
+        echo "$BOLD" $NAME
         echo "$BOLD" "------------------------------------------" "$RESET"
 
         echo -e '\t' "Renewal    \t: " $RENEWAL
@@ -145,7 +166,11 @@ PrintCertInfo-fromGenericSecret () {
     NAMESPACE=$2
     SECRET=$3
     SECRETFILE=$4
-    RENEWAL="${RED}Manual${RESET}"
+    if [[ -z $5 ]]; then
+        RENEWAL="${RED}Manual${RESET}"
+    else
+        RENEWAL=$5
+    fi
 
     kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null
     if [ $? -eq 0 ]; then
@@ -175,7 +200,7 @@ PrintCertInfo-fromGenericSecret () {
         echo "$SECRET_VALUE" | base64 --decode > $TMP_GEN_SECRET_FILE
 
         echo
-        echo "$BOLD" $NAME $NAMESPACE " / " $SECRET " / " $SECRETFILE " CERTIFICATE:" "$RESET"
+        echo "$BOLD" $NAME $NAMESPACE"/"$SECRET"/"$SECRETFILE " CERTIFICATE:" "$RESET"
         echo "$BOLD" "------------------------------------------" "$RESET"
 
         echo -e '\t' "Renewal    \t: " "${RENEWAL}"
@@ -199,10 +224,14 @@ PrintCertInfo-from-TlsSecret-or-File () {
 
     kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null
     if [ $? -eq 0 ]; then
-        PrintCertInfo-fromTlsSecret "$NAME" "$NAMESPACE" "$SECRET"
-    else
-        PrintCertInfo-fromFile "$NAME" "$FILE" "${RED}Manual${RESET}"
+        NAME="$NAME ($NAMESPACE/$SECRET)"
     fi
+    if [[ $CERT_MANAGER_SECRETS == *$SECRET* ]]; then
+        RENEWAL="${GREEN}$AUTO_LABEL${RESET}"
+    else
+        RENEWAL="${RED}Manual${RESET}"
+    fi
+    PrintCertInfo-fromFile "$NAME" "$FILE" "${RENEWAL}"
 }
 
 
@@ -316,7 +345,11 @@ if [ "$KUBERNETES_SECRETS_MODE" = "YES" ]; then
         echo "$MATCHES" > $TMP_GEN_SECRETS_FILE
         while read line; do
             KEY_FOUND=$(echo $line | cut -d':' -f1)
-            PrintCertInfo-fromGenericSecret "" $NAMESPACE $SECRET $KEY_FOUND
+            if [[ "cm-cert-manager-webhook-ca" == $SECRET ]]; then
+                PrintCertInfo-fromGenericSecret "" $NAMESPACE $SECRET $KEY_FOUND "${GREEN}$AUTO_LABEL${RESET}"
+            else
+                PrintCertInfo-fromGenericSecret "" $NAMESPACE $SECRET $KEY_FOUND
+            fi
         done < $TMP_GEN_SECRETS_FILE
 
     done
@@ -337,10 +370,10 @@ fi
 PrintCertInfo-from-TlsSecret-or-File "ssl (restapi/gui)" "deployment" "system-restapi-gui-certificate" "/etc/ssl/private/server-cert.pem"
 
 # Local Registry Certificate
-PrintCertInfo-from-TlsSecret-or-File "registry.local" "deployment" "system-registry-local-certificate" "/etc/ssl/private/registry-cert.crt"
+PrintCertInfo-from-TlsSecret-or-File "docker_registry" "deployment" "system-registry-local-certificate" "/etc/ssl/private/registry-cert.crt"
 
 # Local Openldap Certificate
-PrintCertInfo-from-TlsSecret-or-File "local-openldap" "deployment" "system-openldap-local-certificate" "/etc/openldap/certs/openldap-cert.crt"
+PrintCertInfo-from-TlsSecret-or-File "local-openldap" "deployment" "system-openldap-local-certificate" "/etc/ldap/certs/openldap-cert.crt"
 
 # Trusted CA Certifiates