Make all certs 8yr expiry (#387) (#389)

* Make all certs 8yr expiry * Use certificate_duration and test against generated cert * Better messages during CI cloning (cherry picked from commit 4b5d7a1)
infrawatch · Nov 14, 2022 · 907dbc4 · 907dbc4
1 parent 9c5b82a
commit 907dbc4
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 5 deletions.
diff --git a/build/stf-run-ci/tasks/clone_repos.yml b/build/stf-run-ci/tasks/clone_repos.yml
@@ -5,7 +5,7 @@
 #       of these separately rather than using a loop.
 - name: Get Smart Gateway Operator
   block:
-    - name: Try cloning same-named branch or override branch from specified repository
+    - name: Try cloning same-named branch or override branch from SGO repository
       git:
         repo: "{{ sgo_repository }}"
         dest: working/smart-gateway-operator
@@ -19,7 +19,7 @@
 
 - name: Get sg-core
   block:
-    - name: Try cloning same-named branch or override branch from specified repository
+    - name: Try cloning same-named branch or override branch from sg-core repository
       git:
         repo: "{{ sg_core_repository }}"
         dest: working/sg-core
@@ -33,7 +33,7 @@
 
 - name: Get sg-bridge
   block:
-    - name: Try cloning same-named branch or override branch from specified repository
+    - name: Try cloning same-named branch or override branch from sg-bridge repository
       git:
         repo: "{{ sg_bridge_repository }}"
         dest: working/sg-bridge
@@ -47,7 +47,7 @@
 
 - name: Get prometheus-webhook-snmp
   block:
-    - name: Try cloning same-named branch or override branch from specified repository
+    - name: Try cloning same-named branch or override branch from prometheus-webhook-snmp repository
       git:
         repo: "{{ prometheus_webhook_snmp_repository }}"
         dest: working/prometheus-webhook-snmp
@@ -64,7 +64,7 @@
 # branches there.
 - name: Get Loki Operator
   block:
-    - name: Try cloning same-named branch or override branch from specified repository
+    - name: Try cloning same-named branch or override branch from loki repository
       git:
         repo: "{{ loki_operator_repository }}"
         dest: working/loki

diff --git a/roles/servicetelemetry/defaults/main.yml b/roles/servicetelemetry/defaults/main.yml
@@ -6,6 +6,8 @@ clouds_remove_on_missing: false
 # default observability strategy (compatible with STF 1.3)
 observability_strategy: use_community
 
+certificate_duration: 70080h
+
 servicetelemetry_defaults:
   high_availability:
     enabled: false

diff --git a/roles/servicetelemetry/tasks/_local_signing_authority.yml b/roles/servicetelemetry/tasks/_local_signing_authority.yml
@@ -8,6 +8,7 @@
         name: '{{ ansible_operator_meta.namespace }}-selfsigned'
         namespace: '{{ ansible_operator_meta.namespace }}'
       spec:
+        duration: '{{ certificate_duration }}'
         selfSigned: {}
 
 - name: Create CA certificate
@@ -19,6 +20,7 @@
         name: '{{ ansible_operator_meta.namespace }}-ca'
         namespace: '{{ ansible_operator_meta.namespace }}'
       spec:
+        duration: '{{ certificate_duration }}'
         secretName: '{{ ansible_operator_meta.namespace }}-ca'
         commonName: '{{ ansible_operator_meta.namespace }}-ca'
         isCA: true
@@ -34,6 +36,7 @@
         name: '{{ ansible_operator_meta.namespace }}-ca'
         namespace: '{{ ansible_operator_meta.namespace }}'
       spec:
+        duration: '{{ certificate_duration }}'
         ca:
           secretName: '{{ ansible_operator_meta.namespace }}-ca'
 
@@ -47,6 +50,7 @@
         name: elasticsearch-es-http
         namespace: '{{ ansible_operator_meta.namespace }}'
       spec:
+        duration: '{{ certificate_duration }}'
         commonName: elasticsearch-es-http
         secretName: 'elasticsearch-es-cert'
         dnsNames:

diff --git a/roles/servicetelemetry/tasks/component_qdr.yml b/roles/servicetelemetry/tasks/component_qdr.yml
@@ -13,6 +13,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-selfsigned"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           selfSigned: {}
 
   - name: Create self-signed interconnect certificate
@@ -25,6 +26,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-selfsigned"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           commonName: "{{ ansible_operator_meta.name }}-interconnect.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
           isCA: true
           issuerRef:
@@ -42,6 +44,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-ca"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           ca:
             secretName: "{{ ansible_operator_meta.name }}-interconnect-selfsigned"
 
@@ -55,6 +58,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-openstack-ca"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           commonName: "{{ ansible_operator_meta.name }}-interconnect-openstack-ca"
           isCA: true
           issuerRef:
@@ -71,6 +75,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-openstack-credentials"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           commonName: "{{ ansible_operator_meta.name }}-interconnect"
           dnsNames:
             - "{{ ansible_operator_meta.name }}-interconnect.{{ ansible_operator_meta.namespace }}.svc.cluster.local"
@@ -88,6 +93,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-inter-router-ca"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           ca:
             secretName: "{{ ansible_operator_meta.name }}-interconnect-inter-router-ca"
 
@@ -101,6 +107,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-inter-router-ca"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           commonName: "{{ ansible_operator_meta.name }}-interconnect-inter-router-ca"
           isCA: true
           issuerRef:
@@ -117,6 +124,7 @@
           name: "{{ ansible_operator_meta.name }}-interconnect-inter-router-credentials"
           namespace: "{{ ansible_operator_meta.namespace }}"
         spec:
+          duration: '{{ certificate_duration }}'
           commonName: "{{ ansible_operator_meta.name }}-interconnect"
           dnsNames:
             - "{{ ansible_operator_meta.name }}-interconnect.{{ ansible_operator_meta.namespace }}.svc.cluster.local"

diff --git a/tests/smoketest/smoketest.sh b/tests/smoketest/smoketest.sh
@@ -73,6 +73,15 @@ for NAME in "${CLOUDNAMES[@]}"; do
     RET=$((RET || $?)) # Accumulate exit codes
 done
 
+echo "*** [INFO] Checking that the qdr certificate has a long expiry"
+EXPIRETIME=$(oc get secret default-interconnect-openstack-ca -o json | grep \"tls.crt\"\: | awk -F '": "' '{print $2}' | rev | cut -c3- | rev | base64 -d | openssl x509 -in - -text | grep "Not After" | awk -F " : " '{print $2}')
+EXPIRETIME_UNIX=$(date -d "${EXPIRETIME}" "+%s")
+TARGET_UNIX=$(date -d "now + 7 years" "+%s")
+if [ ${EXPIRETIME_UNIX} -lt ${TARGET_UNIX} ]; then
+    echo "[FAILURE] Certificate expire time (${EXPIRETIME}) less than 7 years from now"
+fi
+
+echo "*** [INFO] Waiting to see SNMP trap message in webhook pod"
 oc delete pod curl
 SNMP_WEBHOOK_POD=$(oc get pod -l "app=default-snmp-webhook" -ojsonpath='{.items[0].metadata.name}')
 SNMP_WEBHOOK_CHECK_MAX_TRIES=5