diff options
Diffstat (limited to 'test/security/check_certificates')
6 files changed, 166 insertions, 12 deletions
diff --git a/test/security/check_certificates/MANIFEST.in b/test/security/check_certificates/MANIFEST.in new file mode 100644 index 000000000..02c7aaf32 --- /dev/null +++ b/test/security/check_certificates/MANIFEST.in @@ -0,0 +1 @@ +include check_certificates/templates/*.j2 diff --git a/test/security/check_certificates/check_certificates/check_certificates_validity.py b/test/security/check_certificates/check_certificates/check_certificates_validity.py index a6fd9cd1b..5d19a7390 100644 --- a/test/security/check_certificates/check_certificates/check_certificates_validity.py +++ b/test/security/check_certificates/check_certificates/check_certificates_validity.py @@ -46,6 +46,10 @@ import OpenSSL from datetime import datetime from kubernetes import client, config from jinja2 import Environment, FileSystemLoader, select_autoescape +from socket import * # pylint: disable=W0614 + +# Set SSL timeout +setdefaulttimeout(10) # Logger LOG_LEVEL = 'INFO' @@ -56,6 +60,7 @@ CERT_MODES = ['nodeport', 'ingress', 'internal'] EXP_CRITERIA_MIN = 30 EXP_CRITERIA_MAX = 389 EXPECTED_CERT_STRING = "C=US;O=ONAP;OU=OSAAF;CN=intermediateCA_9" +EXPECTED_STRIMZI_CA_CERT_STRING = "O=io.strimzi;CN=cluster-ca v0" RESULT_PATH = "." @@ -89,6 +94,10 @@ args = parser.parse_args() onap_namespace = args.namespace LOGGER.info("Verification of the %s certificates started", onap_namespace) +# Create the target dir (in case it does not exist) +if os.pardir not in args.dir: + os.makedirs(args.dir, exist_ok=True) + # Nodeport specific section # Retrieve the kubernetes IP for mode nodeport if args.mode == "nodeport": @@ -115,10 +124,13 @@ if args.mode == "nodeport": # Kubernetes section # retrieve the candidate ports first -k8s_config = config.load_kube_config() +if args.mode == "internal": + k8s_config = config.load_incluster_config() +else: + k8s_config = config.load_kube_config() core = client.CoreV1Api() -api_instance = client.ExtensionsV1beta1Api( +api_instance = client.NetworkingV1Api( client.ApiClient(k8s_config)) k8s_services = core.list_namespaced_service(onap_namespace).items k8s_ingress = api_instance.list_namespaced_ingress(onap_namespace).items @@ -145,7 +157,7 @@ def get_certifificate_info(host, port): issuer_info += (issuer_info_key.decode('utf-8') + "=" + issuer_info_val.decode('utf-8') + ";") cert_validity = False - if issuer_info[:-1] == EXPECTED_CERT_STRING: + if issuer_info[:-1] in [EXPECTED_CERT_STRING, EXPECTED_STRIMZI_CA_CERT_STRING]: cert_validity = True return {'expiration_date': exp_date, @@ -186,8 +198,15 @@ def test_services(k8s_services, mode): if test_port in nodeports_xfail_list: error_waiver = True else: # internal mode - test_url = service.spec.selector.app test_port = port.port + test_url = '' + # in Internal mode there are 2 types + # app + # app.kubernetes.io/name + try: + test_url = service.spec.selector['app'] + except KeyError: + test_url = service.spec.selector['app.kubernetes.io/name'] if test_port is not None: LOGGER.info( @@ -246,6 +265,8 @@ def test_services(k8s_services, mode): {'pod_name': test_name, 'pod_port': test_port, 'error_details': str(e)}) + except: + LOGGER.error("Unknown error") # Create html summary jinja_env = Environment( @@ -259,6 +280,15 @@ def test_services(k8s_services, mode): node_ports_type_error_list=node_ports_type_error_list, node_ports_reset_error_list=node_ports_reset_error_list).dump( '{}/certificates.html'.format(args.dir)) + else: + jinja_env.get_template('cert-internal.html.j2').stream( + node_ports_list=node_ports_list, + node_ports_ssl_error_list=node_ports_ssl_error_list, + node_ports_connection_error_list=node_ports_connection_error_list, + node_ports_type_error_list=node_ports_type_error_list, + node_ports_reset_error_list=node_ports_reset_error_list).dump( + '{}/certificates.html'.format(args.dir)) + return success_criteria diff --git a/test/security/check_certificates/check_certificates/nodeports_xfail.txt b/test/security/check_certificates/check_certificates/nodeports_xfail.txt deleted file mode 100644 index 5c0801014..000000000 --- a/test/security/check_certificates/check_certificates/nodeports_xfail.txt +++ /dev/null @@ -1,2 +0,0 @@ -# Expected failure list for certificates associated to nodeports -666 # foo example nodeport diff --git a/test/security/check_certificates/check_certificates/templates/cert-internal.html.j2 b/test/security/check_certificates/check_certificates/templates/cert-internal.html.j2 new file mode 100644 index 000000000..f9049807a --- /dev/null +++ b/test/security/check_certificates/check_certificates/templates/cert-internal.html.j2 @@ -0,0 +1,129 @@ +{% extends "base.html.j2" %} +{% block title %}ONAP Certificates expiration page{% endblock %} + +{% block content %} +<h1 class="title is-1">ONAP Certificates</h1> +<section class="section"> + <div class="container"> + <h3 class="subtitle">Cluster Internal Ports</h3> + +<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth"> + <thead> + <tr> + <th>Component</th> + <th>Port</th> + <th>Expected Expiration Date</th> + <th>Remaining Days</th> + <th>Root CA</th> + <th>Root CA Validity</th> + </tr> + </thead> + <tbody> + {% for cert in node_ports_list %} + <tr {% if cert.remaining_days < 0 %} class="has-background-danger" {%elif cert.remaining_days < 30 %} class="has-background-warning" {%elif cert.remaining_days < 60 %} class="has-background-warning-light " {%elif cert.remaining_days > 389 %} class="has-background-warning-light" {%elif cert.remaining_days == 364 and cert.validity %} class="has-background-success-light" {% endif %}> + <td>{{ cert.pod_name }}</td> + <td>{{ cert.pod_port }}</td> + <td>{{ cert.expiration_date }}</td> + <td>{{ cert.remaining_days }}</td> + <td>{{ cert.issuer }}</td> + <td>{% if cert.validity %} + <span class="icon is-large has-text-success"> + <i class="fas fa-check-square"></i> + </span> + {% else %} + <span class="icon is-large has-text-danger"> + <i class="fas fa-ban"></i> + </span> + {% endif %}</td> + </tr> + {% endfor %} + </tbody> + </table> + + {% if node_ports_ssl_error_list|length > 0 %} + <h3 class="subtitle">Cluster Internal Port SSL errors</h3> + <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth"> + <thead> + <tr> + <th>Component</th> + <th>Port</th> + <th>Error Details</th> + </tr> + </thead> + <tbody> + {% for cert in node_ports_ssl_error_list %} + <td>{{ cert.pod_name }}</td> + <td>{{ cert.pod_port }}</td> + <td>{{ cert.error_details }}</td> + </tr> + {% endfor %} + </tbody> + </table> +{% endif %} + +{% if node_ports_connection_error_list|length > 0 %} + <h3 class="subtitle">Cluster Internal Ports Connection errors</h3> + <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth"> + <thead> + <tr> + <th>Component</th> + <th>Port</th> + <th>Error Details</th> + </tr> + </thead> + <tbody> + {% for cert in node_ports_connection_error_list %} + <td>{{ cert.pod_name }}</td> + <td>{{ cert.pod_port }}</td> + <td>{{ cert.error_details }}</td> + </tr> + {% endfor %} + </tbody> + </table> +{% endif %} + +{% if node_ports_list_type_error_list|length > 0 %} + <h3 class="subtitle">Cluster Internal Ports ports Type Error</h3> + <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth"> + <thead> + <tr> + <th>Component</th> + <th>Port</th> + <th>Error Details</th> + </tr> + </thead> + <tbody> + {% for cert in node_ports_list_type_error_list %} + <td>{{ cert.pod_name }}</td> + <td>{{ cert.pod_port }}</td> + <td>{{ cert.error_details }}</td> + </tr> + {% endfor %} + </tbody> + </table> +{% endif %} + +{% if node_ports_reset_error_list|length > 0 %} + <h3 class="subtitle">Cluster Internal Ports Connections Error</h3> + <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth"> + <thead> + <tr> + <th>Component</th> + <th>Port</th> + <th>Error Details</th> + </tr> + </thead> + <tbody> + {% for cert in node_ports_reset_error_list %} + <td>{{ cert.pod_name }}</td> + <td>{{ cert.pod_port }}</td> + <td>{{ cert.error_details }}</td> + </tr> + {% endfor %} + </tbody> +</table> +{% endif %} + +{% endblock %} +</div> +</section> diff --git a/test/security/check_certificates/setup.cfg b/test/security/check_certificates/setup.cfg index 37be07c9d..72966f837 100644 --- a/test/security/check_certificates/setup.cfg +++ b/test/security/check_certificates/setup.cfg @@ -1,8 +1,3 @@ [metadata] name = check_certificates version = 0.1 - -[files] -packages = check_certificates -scripts = - check_certificates/nodeports_xfail.txt diff --git a/test/security/check_certificates/setup.py b/test/security/check_certificates/setup.py index 9a370e270..f5154f282 100644 --- a/test/security/check_certificates/setup.py +++ b/test/security/check_certificates/setup.py @@ -1,4 +1,5 @@ import setuptools setuptools.setup( setup_requires=['pbr', 'setuptools'], - pbr=True) + pbr=True, + include_package_data=True) |