Integrate nodeport cert verification in xtesting

this tests checks the validity of the certificates
by testing each SSL termination corresponding to node
ports retrieved from the k8s python client

It generates an html page with the list of the
SSL certficiates, it indicates
- the expiration date
- the certificate owner

A code color is provided too indicate if the cert is about
to expire
and/or is too wide (364 days max)

The integration to xtesting is the first step before
adding the test in Master daily CI

Issue-ID: INT-1570

Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: Ia20fc999610d1967eb9eed9415a568b3dbdda3e7
Signed-off-by: mrichomme <morgan.richomme@orange.com>

diff --git a/infra-healthcheck/docker/Dockerfile b/infra-healthcheck/docker/Dockerfile
index 87d177c..b433387 100644 (file)
--- a/infra-healthcheck/docker/Dockerfile
+++ b/infra-healthcheck/docker/Dockerfile
@@ -17,7 +17,7 @@ COPY upper-constraints.txt .
 RUN set -x && \
     apk --no-cache add --update curl ca-certificates && \
     apk --no-cache add --virtual .build-deps --update \
-        gcc python3-dev musl-dev && \
+        gcc python3-dev musl-dev openssl-dev libffi-dev && \
     chmod +x /usr/local/bin/kubectl && \
     adduser kubectl -Du 2342 -h /config && \
     wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz -O - | tar -xzO linux-amd64/helm > /usr/local/bin/helm && \
@@ -28,6 +28,8 @@ RUN set -x && \
     pip3 install --no-cache-dir -r upper-constraints.txt && \
     pip3 install --no-cache-dir \
         git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=infra-healthcheck && \
+    pip3 install --no-cache-dir \
+        git+https://git.onap.org/integration.git@$ONAP_TESTS_TAG#subdirectory=test/security/check_certificates && \
     apk del .build-deps
 
 COPY docker/testcases.yaml /usr/lib/python3.8/site-packages/xtesting/ci/testcases.yaml

diff --git a/infra-healthcheck/docker/testcases.yaml b/infra-healthcheck/docker/testcases.yaml
index 346daf5..ba035c2 100644 (file)
--- a/infra-healthcheck/docker/testcases.yaml
+++ b/infra-healthcheck/docker/testcases.yaml
@@ -39,3 +39,12 @@ tiers:
                     - DEPLOY_SCENARIO: 'ingress'
                 run:
                     name: 'nodeport_ingress'
+            -
+                case_name: nodeport_check_certs
+                project_name: integration
+                criteria: 100
+                blocking: false
+                description: >-
+                    Check certificates associated with node ports
+                run:
+                    name: 'nodeport_check_certs'

diff --git a/infra-healthcheck/infra_healthcheck/k8stest.py b/infra-healthcheck/infra_healthcheck/k8stest.py
index da1d764..a22bcda 100644 (file)
--- a/infra-healthcheck/infra_healthcheck/k8stest.py
+++ b/infra-healthcheck/infra_healthcheck/k8stest.py
@@ -109,8 +109,6 @@ class K8sTesting(testcase.TestCase):
 class OnapHelmTest(K8sTesting):
     """Kubernetes conformance test suite"""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'onap-helm')
         super(OnapHelmTest, self).__init__(**kwargs)
         self.cmd = ['/check_onap_helm.sh']
         self.criteria_string = "Nb Failed Helm Charts"
@@ -119,9 +117,17 @@ class OnapHelmTest(K8sTesting):
 class OnapSecurityNodePortsIngress(K8sTesting):
     """Check that there is no NodePort without corresponding Ingress port."""
     def __init__(self, **kwargs):
-        if "case_name" not in kwargs:
-            kwargs.get("case_name", 'nodeport_ingress')
         super(OnapSecurityNodePortsIngress, self).__init__(**kwargs)
         self.cmd = ['python3', '/check_for_ingress_and_nodeports.py',
                     '--conf', '/root/.kube/config']
         self.criteria_string = "NodePort without corresponding Ingress found"
+
+class OnapSecurityNodePortsCerts(K8sTesting):
+    """Check the cerfificates fot he nodeports."""
+    def __init__(self, **kwargs):
+        super(OnapSecurityNodePortsCerts, self).__init__(**kwargs)
+        os.chdir('/usr/lib/python3.8/site-packages/check_certificates')
+        self.cmd = ['python3', 'check_certificates_validity.py',
+                    '--mode','nodeport','--namespace','onap','--dir',
+                    '/var/lib/xtesting/results/nodeport_check_certs']
+        self.criteria_string = ">>> Test Check certificates PASS"

diff --git a/infra-healthcheck/setup.cfg b/infra-healthcheck/setup.cfg
index a3ec3db..4664552 100644 (file)
--- a/infra-healthcheck/setup.cfg
+++ b/infra-healthcheck/setup.cfg
@@ -10,3 +10,5 @@ xtesting.testcase =
     onap_k8s = kubernetes_status.status:Status
     onap_helm = infra_healthcheck.k8stest:OnapHelmTest
     nodeport_ingress = infra_healthcheck.k8stest:OnapSecurityNodePortsIngress
+    nodeport_check_certs = infra_healthcheck.k8stest:OnapSecurityNodePortsCerts
+