starlingx
/
config
Code Issues Proposed changes
config/sysinv/sysinv/sysinv
History
amantri cca5becb65 Implement new certificate APIs 
Add an API /v1/certificate/get_all_certs to retrieve all the
platform certs(oidc, wra, adminep, etcd,
service account certs, system-restapi-gui-certificate,
open-ldap, openstack, system-registry-local-certificate,
k8s certs) in JSON response and use this response to format
the "system certificate-list" output as "show-certs.sh" output.

Add an API /v1/certificate/get_all_k8s_certs to retrieve all the
tls,opaque certs in JSON response and use this response to
format the "system k8s-certificate-list" output as
"show-certs.sh -k" output

Implement "system certificate-show <cert name>",
"system k8s-certificate-show <cert name>" to show the full
details of the certificate.

Implement filters in api and cli to show the expired and expiry
certificates

Testcases:
PASS: Verify all the cert values(Residual Time,Issue  Date, Expiry Date
      ,Issuer,Subject,filename,Renewal) are showing fine for all the
      following cert paths when "system certificate-list" is executed
	  /etc/kubernetes/pki/apiserver-etcd-client.crt
	  /etc/kubernetes/pki/apiserver-kubelet-client.crt
	  /etc/pki/ca-trust/source/anchors/dc-adminep-root-ca.crt
	  /etc/ssl/private/admin-ep-cert.pem
	  /etc/etcd/etcd-client.crt
	  /etc/etcd/etcd-server.crt
	  /etc/kubernetes/pki/front-proxy-ca.crt
	  /etc/kubernetes/pki/front-proxy-client.crt
	  /var/lib/kubelet/pki/kubelet-client-current.pem
	  /etc/kubernetes/pki/ca.crt
	  /etc/ldap/certs/openldap-cert.crt
	  /etc/ssl/private/registry-cert.crt
	  /etc/ssl/private/server-cert.pem
PASS: Verify all the cert values(Residual Time,Issue Date, Expiry Date
      ,Issuer,Subject,filename,Renewal) are showing fine for all the
       service accts when "system certificate-list" is executed
          /etc/kubernetes/scheduler.conf
          /etc/kubernetes/admin.conf
	  /etc/kubernetes/controller-manager.conf
PASS: Verify the system-local-ca secret is shown in the output of
      "system certificate-list"
PASS: List ns,secret name in the output of ssl,docker certs if the
      system-restapi-gui-certificate, system-registry-local-certificate
      exist on the system when "system certificate-list" executed
PASS: Apply oidc app verify that in "system certificate-list" output
      "oidc-auth-apps-certificate", oidc ca issuer and wad cert are
      shown with all proper values
PASS: Deploy WRA app verify that "mon-elastic-services-ca-crt",
      "mon-elastic-services-extca-crt" secrets are showing in the
      "system certificate-list" output and also kibana,
      elastic-services cert from mon-elastic-services-secrets secret
PASS: Verify all the cert values(Residual Time,Issue Date, Expiry Date
      ,Issuer,Subject,filename,Renewal) are showing fine for all the
      Opaque,tls type secrets when "system k8s-certificate-list" is
      executed
PASS: Execute "system certificate-show <cert name>" for each
      cert in the "system ceritificate-list" output and
      check all details of it
PASS: Execute "system certificate-list --expired" shows the
      certificates which are expired
PASS: Execute "system certificate-list --soon_to_expiry <N>"
      shows the expiring certificates with in the specified
      N days
PASS: Execute "system k8s-certificate-list --expired" shows the
      certificates which are expired
PASS: Execute "system k8s-certificate-list --soon_to_expiry <N>"
      shows the expiring certificates with in the specified
      N days
PASS: On DC system verify that admin endpoint certificates are
      shown with all values when "system certificate-list" is
      executed
PASS: Verify the following apis
	/v1/certificate/get_all_certs
        /v1/certificate/get_all_k8s_certs
        /v1/certificate/get_all_certs?soon_to_expiry=<no of days>
        /v1/certificate/get_all_k8s_certs?soon_to_expiry=<no of days>
        /v1/certificate/get_all_certs?expired=True
        /v1/certificate/get_all_k8s_certs?expired=True

Story: 2010848
Task: 48730
Task: 48785
Task: 48786

Change-Id: Ia281fe1610348596ccc1e3fad7816fe577c836d1
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
 		2024-04-17 14:18:21 -04:00
..
.eggs
contrib
doc/source Change openstack-dev to openstack-discuss 2018-12-04 23:37:31 -05:00
etc/sysinv Fix misleading app status after failed override update 2024-02-16 17:51:14 +00:00
scripts Fix IPsec certificates renewal script 2024-04-11 10:43:51 -03:00
sysinv Implement new certificate APIs 2024-04-17 14:18:21 -04:00
tools Deprecate sysinv.openstack.common.db in favor of oslo_db 2020-02-07 11:55:49 -06:00
.coveragerc
.gitignore Update sysinv to not invoke ceph during unit testing 2018-10-02 13:19:43 -05:00
.stestr.conf Cleanup sysinv tox py27 warnings 2019-05-31 08:35:50 -05:00
CONTRIBUTING.rst Update CONTRIBUTING.rst and add HACKING.rst 2019-09-27 09:00:29 -05:00
HACKING.rst Update CONTRIBUTING.rst and add HACKING.rst 2019-09-27 09:00:29 -05:00
LICENSE
MANIFEST.in Deprecate old policy engine and restrict access 2022-08-10 11:18:38 -03:00
README.rst
babel.cfg
openstack-common.conf Remove sysinv.openstack.common.loopingcall 2021-08-13 16:30:11 +00:00
pylint.rc Enable sysinv no-value-for-parameter check in pylint 2023-05-31 19:43:19 +00:00
requirements.txt Use FQDN for MGMT network 2023-10-31 20:45:40 -04:00
setup.cfg Initial implementation of IPsec Auth Client 2024-02-01 15:53:41 -03:00
setup.py Add a zuul job for sysinv tox unittest 2018-08-13 16:34:06 +08:00
test-requirements.txt Update sysinv tox for python3.9 2023-02-07 15:18:42 +00:00
tox.ini Update network interface puppet resource gen to support dual-stack 2024-04-16 16:23:15 -03:00
upper-constraints.txt Update tox.ini files to use stein constraints 2019-06-25 14:45:54 -04:00

README.rst

Placeholder to allow setup.py to work. Removing this requires modifying the setup.py manifest.