6 files changed, 166 insertions, 12 deletions

diff --git a/test/security/check_certificates/MANIFEST.in b/test/security/check_certificates/MANIFEST.in
new file mode 100644
index 000000000..02c7aaf32
--- /dev/null
+++ b/test/security/check_certificates/MANIFEST.in
@@ -0,0 +1 @@
+include check_certificates/templates/*.j2
diff --git a/test/security/check_certificates/check_certificates/check_certificates_validity.py b/test/security/check_certificates/check_certificates/check_certificates_validity.py
index a6fd9cd1b..5d19a7390 100644
--- a/test/security/check_certificates/check_certificates/check_certificates_validity.py
+++ b/test/security/check_certificates/check_certificates/check_certificates_validity.py
@@ -46,6 +46,10 @@ import OpenSSL
 from datetime import datetime
 from kubernetes import client, config
 from jinja2 import Environment, FileSystemLoader, select_autoescape
+from socket import *  # pylint: disable=W0614
+
+# Set SSL timeout
+setdefaulttimeout(10)
 
 # Logger
 LOG_LEVEL = 'INFO'
@@ -56,6 +60,7 @@ CERT_MODES = ['nodeport', 'ingress', 'internal']
 EXP_CRITERIA_MIN = 30
 EXP_CRITERIA_MAX = 389
 EXPECTED_CERT_STRING = "C=US;O=ONAP;OU=OSAAF;CN=intermediateCA_9"
+EXPECTED_STRIMZI_CA_CERT_STRING = "O=io.strimzi;CN=cluster-ca v0"
 RESULT_PATH = "."
 
 
@@ -89,6 +94,10 @@ args = parser.parse_args()
 onap_namespace = args.namespace
 LOGGER.info("Verification of the %s certificates started", onap_namespace)
 
+# Create the target dir (in case it does not exist)
+if os.pardir not in args.dir:
+    os.makedirs(args.dir, exist_ok=True)
+
 # Nodeport specific section
 # Retrieve the kubernetes IP for mode nodeport
 if args.mode == "nodeport":
@@ -115,10 +124,13 @@ if args.mode == "nodeport":
 
 # Kubernetes section
 # retrieve the candidate ports first
-k8s_config = config.load_kube_config()
+if args.mode == "internal":
+    k8s_config = config.load_incluster_config()
+else:
+    k8s_config = config.load_kube_config()
 
 core = client.CoreV1Api()
-api_instance = client.ExtensionsV1beta1Api(
+api_instance = client.NetworkingV1Api(
     client.ApiClient(k8s_config))
 k8s_services = core.list_namespaced_service(onap_namespace).items
 k8s_ingress = api_instance.list_namespaced_ingress(onap_namespace).items
@@ -145,7 +157,7 @@ def get_certifificate_info(host, port):
         issuer_info += (issuer_info_key.decode('utf-8') + "=" +
                         issuer_info_val.decode('utf-8') + ";")
     cert_validity = False
-    if issuer_info[:-1] == EXPECTED_CERT_STRING:
+    if issuer_info[:-1] in [EXPECTED_CERT_STRING, EXPECTED_STRIMZI_CA_CERT_STRING]:
         cert_validity = True
 
     return {'expiration_date': exp_date,
@@ -186,8 +198,15 @@ def test_services(k8s_services, mode):
                     if test_port in nodeports_xfail_list:
                         error_waiver = True
                 else:  # internal mode
-                    test_url = service.spec.selector.app
                     test_port = port.port
+                    test_url = ''
+                    # in Internal mode there are 2 types
+                    # app
+                    # app.kubernetes.io/name
+                    try:
+                        test_url = service.spec.selector['app']
+                    except KeyError:
+                        test_url = service.spec.selector['app.kubernetes.io/name']
 
                 if test_port is not None:
                     LOGGER.info(
@@ -246,6 +265,8 @@ def test_services(k8s_services, mode):
                 {'pod_name': test_name,
                  'pod_port': test_port,
                  'error_details': str(e)})
+        except:
+            LOGGER.error("Unknown error")
 
     # Create html summary
     jinja_env = Environment(
@@ -259,6 +280,15 @@ def test_services(k8s_services, mode):
             node_ports_type_error_list=node_ports_type_error_list,
             node_ports_reset_error_list=node_ports_reset_error_list).dump(
             '{}/certificates.html'.format(args.dir))
+    else:
+        jinja_env.get_template('cert-internal.html.j2').stream(
+            node_ports_list=node_ports_list,
+            node_ports_ssl_error_list=node_ports_ssl_error_list,
+            node_ports_connection_error_list=node_ports_connection_error_list,
+            node_ports_type_error_list=node_ports_type_error_list,
+            node_ports_reset_error_list=node_ports_reset_error_list).dump(
+            '{}/certificates.html'.format(args.dir))
+
     return success_criteria
 
 
diff --git a/test/security/check_certificates/check_certificates/nodeports_xfail.txt b/test/security/check_certificates/check_certificates/nodeports_xfail.txt
deleted file mode 100644
index 5c0801014..000000000
--- a/test/security/check_certificates/check_certificates/nodeports_xfail.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-# Expected failure list for certificates associated to nodeports
-666 # foo example nodeport
diff --git a/test/security/check_certificates/check_certificates/templates/cert-internal.html.j2 b/test/security/check_certificates/check_certificates/templates/cert-internal.html.j2
new file mode 100644
index 000000000..f9049807a
--- /dev/null
+++ b/test/security/check_certificates/check_certificates/templates/cert-internal.html.j2
@@ -0,0 +1,129 @@
+{% extends "base.html.j2" %}
+{% block title %}ONAP Certificates expiration page{% endblock %}
+
+{% block content %}
+<h1 class="title is-1">ONAP Certificates</h1>
+<section class="section">
+ <div class="container">
+ <h3 class="subtitle">Cluster Internal Ports</h3>
+
+<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+  <thead>
+    <tr>
+      <th>Component</th>
+      <th>Port</th>
+      <th>Expected Expiration Date</th>
+      <th>Remaining Days</th>
+      <th>Root CA</th>
+      <th>Root CA Validity</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for cert in node_ports_list %}
+    <tr {% if cert.remaining_days < 0 %} class="has-background-danger" {%elif cert.remaining_days < 30 %}  class="has-background-warning" {%elif cert.remaining_days < 60 %} class="has-background-warning-light " {%elif cert.remaining_days > 389 %} class="has-background-warning-light" {%elif cert.remaining_days == 364 and cert.validity %} class="has-background-success-light" {% endif %}>
+         <td>{{ cert.pod_name }}</td>
+         <td>{{ cert.pod_port }}</td>
+         <td>{{ cert.expiration_date }}</td>
+         <td>{{ cert.remaining_days }}</td>
+         <td>{{ cert.issuer }}</td>
+         <td>{% if cert.validity %}
+          <span class="icon is-large has-text-success">
+            <i class="fas fa-check-square"></i>
+          </span>
+           {% else %}
+           <span class="icon is-large has-text-danger">
+             <i class="fas fa-ban"></i>
+           </span>
+            {% endif %}</td>
+    </tr>
+    {% endfor %}
+    </tbody>
+  </table>
+
+  {% if node_ports_ssl_error_list|length > 0 %}
+    <h3 class="subtitle">Cluster Internal Port SSL errors</h3>
+    <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+      <thead>
+        <tr>
+          <th>Component</th>
+          <th>Port</th>
+          <th>Error Details</th>
+      </tr>
+      </thead>
+      <tbody>
+    {% for cert in node_ports_ssl_error_list %}
+         <td>{{ cert.pod_name }}</td>
+         <td>{{ cert.pod_port }}</td>
+         <td>{{ cert.error_details }}</td>
+    </tr>
+    {% endfor %}
+    </tbody>
+  </table>
+{% endif %}
+
+{% if node_ports_connection_error_list|length > 0 %}
+    <h3 class="subtitle">Cluster Internal Ports Connection errors</h3>
+    <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+      <thead>
+        <tr>
+          <th>Component</th>
+          <th>Port</th>
+          <th>Error Details</th>
+        </tr>
+      </thead>
+      <tbody>
+    {% for cert in node_ports_connection_error_list %}
+         <td>{{ cert.pod_name }}</td>
+         <td>{{ cert.pod_port }}</td>
+         <td>{{ cert.error_details }}</td>
+    </tr>
+    {% endfor %}
+    </tbody>
+  </table>
+{% endif %}
+
+{% if node_ports_list_type_error_list|length > 0 %}
+    <h3 class="subtitle">Cluster Internal Ports ports Type Error</h3>
+    <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+      <thead>
+        <tr>
+          <th>Component</th>
+          <th>Port</th>
+          <th>Error Details</th>
+        </tr>
+      </thead>
+      <tbody>
+    {% for cert in node_ports_list_type_error_list %}
+         <td>{{ cert.pod_name }}</td>
+         <td>{{ cert.pod_port }}</td>
+         <td>{{ cert.error_details }}</td>
+    </tr>
+    {% endfor %}
+    </tbody>
+  </table>
+{% endif %}
+
+{% if node_ports_reset_error_list|length > 0 %}
+  <h3 class="subtitle">Cluster Internal Ports Connections Error</h3>
+  <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+    <thead>
+      <tr>
+        <th>Component</th>
+        <th>Port</th>
+          <th>Error Details</th>
+      </tr>
+    </thead>
+    <tbody>
+  {% for cert in node_ports_reset_error_list %}
+       <td>{{ cert.pod_name }}</td>
+       <td>{{ cert.pod_port }}</td>
+       <td>{{ cert.error_details }}</td>
+  </tr>
+  {% endfor %}
+  </tbody>
+</table>
+{% endif %}
+
+{% endblock %}
+</div>
+</section>
diff --git a/test/security/check_certificates/setup.cfg b/test/security/check_certificates/setup.cfg
index 37be07c9d..72966f837 100644
--- a/test/security/check_certificates/setup.cfg
+++ b/test/security/check_certificates/setup.cfg
@@ -1,8 +1,3 @@
 [metadata]
 name = check_certificates
 version = 0.1
-
-[files]
-packages = check_certificates
-scripts =
-    check_certificates/nodeports_xfail.txt
diff --git a/test/security/check_certificates/setup.py b/test/security/check_certificates/setup.py
index 9a370e270..f5154f282 100644
--- a/test/security/check_certificates/setup.py
+++ b/test/security/check_certificates/setup.py
@@ -1,4 +1,5 @@
 import setuptools
 setuptools.setup(
     setup_requires=['pbr', 'setuptools'],
-    pbr=True)
+    pbr=True,
+    include_package_data=True)