Fail fast improvement to show-certs

When k8s certificates are expired, this script can take more than 1
minute to return. During debugging, I noticed that the most time
consuming step is PrintCertInfo-for-OIDC-Certificates, which queries
for kubernetes secret many times. PrintCertInfo-fromGenericSecret,
below it, also makes a few calls with kubectl.

This commit adds a variable to capture the return of 'kubeadm certs
check-expiration' command and then only calls
PrintCertInfo-for-OIDC-Certificates if the RC is successful.

This reduces the overall execution time from about 1 minute to around
10 seconds.

Test Plan:
PASS: Run show-certs in c0 and c1 and verify it finishes successfully
      and the output before and after this change is the same
PASS: Cause k8s certificates for expire. run show-certs in c0 and c1 and
      verify it finishes successfully in less than 10s. Verify that the
      output before and after this change is the same.

Story: 2010815
Task: 49485
Change-Id: I9f3eaec3a543fdea278e04c2f1895685bc333505
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This commit is contained in:
Rei Oliveira 2024-01-31 17:59:07 -03:00 committed by Reinildes Oliveira
parent 6d975b79a1
commit f617cc5d8f

View File

@ -1,6 +1,6 @@
#!/bin/bash
#
# Copyright (c) 2021-2023 Wind River Systems, Inc.
# Copyright (c) 2021-2024 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
@ -398,13 +398,26 @@ PrintCertInfo-fromFile "DC-AdminEp-Server" "/etc/ssl/private/admin-ep-cert.pem"
PrintCertInfo-fromFile "openstack" "/etc/ssl/private/openstack/cert.pem" "${RED}Manual${RESET}"
PrintCertInfo-fromFile "openstack CA" "/etc/ssl/private/openstack/ca-cert.pem" "${RED}Manual${RESET}"
# OIDC
PrintCertInfo-for-OIDC-Certificates
# works with stable and experimental certs subcommand
kubeadm certs -h &> /dev/null
if [ $? -eq 0 ]; then
CERTS_CMD='certs'
else
CERTS_CMD='alpha certs'
fi
# analytics certificates
PrintCertInfo-fromGenericSecret "Internal Analytics CA Certificate" "monitor" "mon-elastic-services-secrets" "ca.crt"
PrintCertInfo-fromGenericSecret "External Analytics CA Certificate" "monitor" "mon-elastic-services-secrets" "ext-ca.crt"
PrintCertInfo-fromGenericSecret "External Kibana Certificate" "monitor" "mon-elastic-services-secrets" "kibana.crt"
K8S_CERTS_OUTPUT=$(kubeadm $CERTS_CMD check-expiration 2> /dev/null)
K8S_CERTS_RC=$?
if [ $K8S_CERTS_RC -eq 0 ]; then
# OIDC
PrintCertInfo-for-OIDC-Certificates
# analytics certificates
PrintCertInfo-fromGenericSecret "Internal Analytics CA Certificate" "monitor" "mon-elastic-services-secrets" "ca.crt"
PrintCertInfo-fromGenericSecret "External Analytics CA Certificate" "monitor" "mon-elastic-services-secrets" "ext-ca.crt"
PrintCertInfo-fromGenericSecret "External Kibana Certificate" "monitor" "mon-elastic-services-secrets" "kibana.crt"
fi
# Kubernetes Certificates
echo
@ -414,13 +427,7 @@ echo "Note: 'CERTIFICATES' are Renewal: ${GREEN}Automatic${RESET}"
echo "Note: 'CERTIFICATE AUTHORITIES' are Renewal: ${RED}Manual${RESET}"
echo
# works with stable and experimenal certs subcommand
kubeadm certs -h &> /dev/null
if [ $? -eq 0 ]; then
kubeadm certs check-expiration
else
kubeadm alpha certs check-expiration
fi
echo "$K8S_CERTS_OUTPUT"
# ETCD certificates
# ETCD certificates are automatically renewed by kube_root_ca_rotation cron job