starlingx
/
utilities
Code Issues Proposed changes

Fix OIDC CA cert info in the show-certs.sh output 

The OIDC CA cert "issuer_root_ca_secret" renewal shows as "Manual"
instead of "Automatic" when the corresponding secret exist and
managed by cert-manager, this fix addresses this issue.

Test Cases:
PASS: Apply oidc app and run show-certs script and verify all
      oidc cert info is properly displayed
PASS: Apply WRA app and run show-certs script and verify all
      oidc cert info is properly displayed
PASS: Run show-certs.sh script info on DC system and verify all
      the certs info is properly displayed
PASS: Run show-certs.sh with -k option and verify that all the
      certificate info is properly displayed
PASS: Deploy system-restapi-gui-certificate,system-registry-
      local-certificate,oidc-auth-apps-certificate and run
      show-certs.sh script and verify that all certificate values
      are showing fine the output

Closes-Bug: 2052327

Change-Id: Ieef047d5143fce522bf534d5d9ac663e9293e036
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
This commit is contained in:
amantri 2024-02-02 15:03:15 -05:00
parent a272f7c247
commit 9d4a145517
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
utilities/platform-util/scripts/show-certs.sh
View File

@ -44,7 +44,7 @@ source /etc/platform/platform.conf
source /etc/platform/openrc
# Gets the name of all secrets used by cert-manager certs
CERT_MANAGER_SECRETS=$(kubectl --kubeconfig /etc/kubernetes/admin.conf get cert -A -o yaml | grep secretName: | grep -v f: | awk '{ print $2 }')
CERT_MANAGER_SECRETS=$(kubectl --kubeconfig /etc/kubernetes/admin.conf get cert -A -o jsonpath='{range .items[*]}{.spec.secretName}{"\n"}{end}')
PrintCertInfo () {
@ -137,7 +137,7 @@ PrintCertInfo-fromTlsSecret () {
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null
if [ $? -eq 0 ]; then
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o yaml | fgrep tls.crt | fgrep -v "f:tls.crt" | awk '{print $2}' | base64 --decode > $TMP_SECRET_SECRET_FILE
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o jsonpath='{.data.tls\.crt}' | base64 --decode > $TMP_SECRET_SECRET_FILE
if [ -n "$NAME" ]; then
NAME="$NAME ($NAMESPACE/$SECRET) CERTIFICATE: $RESET"
@ -172,10 +172,13 @@ PrintCertInfo-fromGenericSecret () {
RENEWAL=$5
fi
ESCAPEDSTRING="${SECRETFILE/./\\.}"
JSONPATH="{.data.${ESCAPEDSTRING}}"
kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET &> /dev/null
if [ $? -eq 0 ]; then
SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o yaml | fgrep " $SECRETFILE:" | awk '{print $2}')
SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o jsonpath=$JSONPATH)
if ! IsACertificate $SECRET_VALUE; then
return
@ -188,12 +191,19 @@ PrintCertInfo-fromGenericSecret () {
elif [[ "ext-ca.crt" == $SECRETFILE ]]; then
TLS_SECRET_NAME="mon-elastic-services-extca-crt"
fi
TLS_SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $TLS_SECRET_NAME -o yaml 2> /dev/null | fgrep " tls.crt" | awk '{print $2}')
TLS_SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $TLS_SECRET_NAME -o jsonpath='{.data.tls\.crt}')
if [[ $TLS_SECRET_VALUE == $SECRET_VALUE && $CERT_MANAGER_SECRETS == *$TLS_SECRET_NAME* ]]; then
RENEWAL="${GREEN}$AUTO_LABEL${RESET}"
fi
fi
if [[ "OIDC CA" == $NAME ]]; then
TLS_SECRET_VALUE=$(kubectl --kubeconfig /etc/kubernetes/admin.conf -n $NAMESPACE get secret $SECRET -o jsonpath='{.data.tls\.crt}')
if [[ $TLS_SECRET_VALUE == $SECRET_VALUE && $CERT_MANAGER_SECRETS == *$SECRET* ]]; then
RENEWAL="${GREEN}$AUTO_LABEL${RESET}"
fi
fi
if [ ! -z "$NAME" ]; then
NAME=$(echo $NAME " / ")
fi