I see 3 possible "modes": nodeports, internal and ingress
for the moment I worked the nodeport mode, you will find attached the results
of the test on the daily frankfurt.
I have some questions for SECCOM/OOM.
For this test, I retrieve all the ONAP services from the kubernetes client,
then for each service I give a try to the nodeport.
then at the end I build a table, the main table includes the following fields
Component = service name | Port = node port | Expiration date | Remaining days
| Cluster IP = cluster IP associated with the node port | Root CA = info got
from the certificate issuer | Root CA Validity
The other tables below correspond to specific errors (SSL, connection,..), I do
not consider them as error criteria as the test being executed from outside the
cluster, it is usually logical to get the error but I prefer to keep a trace in
a table.
I should be able to test these ports in internal mode later.
Question 1: Expiration date and Remaining days are redundant: shall I keep the
2 columns or keep only the remaining days?
I do consider 2 parameters for the test success criteria
- the certificate remaining days
- the root CA validity
The color code is as follow and can be easily amended if you have any
recommendations or design advices
remaining days
> 1000 => line is light blue
Question 2: 1000 is totally arbitrary, what is the recommendation to say that
the certificates is probably too long > 365 > 1000 > ?
30< expiration < 60 => line is orange
expiration < 30 => line is red light
= 364 (+ Root CA OK) => line is green light => it corresponds to
auto-generated certificates
no color in any other case
Question 3: are you OK with the color code?
Question 4: Shall I keep the error table or is it misleading?
root CA
if I got C=US;O=ONAP;OU=OSAAF;CN=intermediateCA_9 => I consider the Root CA as
OK => Validity is a green square
if not => red circle
Both indicators are independent
we can be red with a good certificate Root CA and we can be green and have a
red circle if the certificate is still valid but the Root CA not correct
At the end the success criteria is False is 1 of the certificate is under 30
days or Root CA are not correct.
It means that it will be FAIL until everything is fxed..
Question 5: success criteria => only expiration date or expiration date + root
CA?
Question 6: shall we plan a xfail list here?
Question 7: Note I added the Cluster IP for information, any other info you
would like to see in the table?
I started working on the integration in CI
Once open questions clarified, the code in integration repository will be merged
I will create a xtesting docker (I did already one quickly in gitlab.com, I
will create a new patch in ONAP as xtesting and its associated docker build
chain has be reintegrated in ONAP repositories)
I put this test in the infra-healthcheck docker (was almost ready from a
dependency perspective)
+--------------------------------+------------------+------------------+----------------+
| TEST CASE | PROJECT | DURATION | RESULT |
+--------------------------------+------------------+------------------+----------------+
| nodeport_check_certs | security | 00:02 | FAIL |
+--------------------------------+------------------+------------------+----------------+
Once the new docker would be created, the test will be automatically run, I
would 'just" need to adapt the dashboard to display the result of this test
(daily and gating)
/Morgan
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#21552): https://lists.onap.org/g/onap-discuss/message/21552
Mute This Topic: https://lists.onap.org/mt/75215203/21656
Group Owner: [email protected]
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
