Hey, My comments: Question 1: Remaining days only? Question 2: The 3 major browsers (Safari, Firefox and Chrome) will issue an error if certificate remaining days > 389 in their next releases Question 3: yes Question 4: I would say "keep it" (and nobody except us on this list will really take a look) Question 5: I vote both because they have to be autogenerated with certInitializer so it becomes simpler to replace one day Question 6: You can plan but should be empty Question 7: internal mode ;)
________________________________ De : RICHOMME Morgan TGI/OLN Envoyé : mardi 30 juin 2020 17:02 À : ZWARICO, AMY; 'Pawel Pawlak'; DESBUREAUX Sylvain TGI/OLN; Krzysztof Opasiak; ROUZAUT Fabian TGI/OLN Cc : Geissler, Andreas; cc6...@intl.att.com; Daniel Rose; cl6...@att.com; plata...@research.att.com; FREEMAN, BRIAN D; b.grzybow...@partner.samsung.com; marcin.przyb...@nokia.com; eric.w.multa...@intel.com; Kuzmicki, Krzysztof (Nokia - PL/Wroclaw); p.wieczor...@samsung.com; onap-discuss@lists.onap.org Objet : [ONAP] [Guilin] [SECCOM] [Integration] check certificates, open questions and result table and success criteria Hi, I updated the test to verify the certificates: https://gerrit.onap.org/r/c/integration/+/109207 I see 3 possible "modes": nodeports, internal and ingress for the moment I worked the nodeport mode, you will find attached the results of the test on the daily frankfurt. I have some questions for SECCOM/OOM. For this test, I retrieve all the ONAP services from the kubernetes client, then for each service I give a try to the nodeport. then at the end I build a table, the main table includes the following fields Component = service name | Port = node port | Expiration date | Remaining days | Cluster IP = cluster IP associated with the node port | Root CA = info got from the certificate issuer | Root CA Validity The other tables below correspond to specific errors (SSL, connection,..), I do not consider them as error criteria as the test being executed from outside the cluster, it is usually logical to get the error but I prefer to keep a trace in a table. I should be able to test these ports in internal mode later. Question 1: Expiration date and Remaining days are redundant: shall I keep the 2 columns or keep only the remaining days? I do consider 2 parameters for the test success criteria - the certificate remaining days - the root CA validity The color code is as follow and can be easily amended if you have any recommendations or design advices remaining days > 1000 => line is light blue Question 2: 1000 is totally arbitrary, what is the recommendation to say that the certificates is probably too long > 365 > 1000 > ? 30< expiration < 60 => line is orange expiration < 30 => line is red light = 364 (+ Root CA OK) => line is green light => it corresponds to auto-generated certificates no color in any other case Question 3: are you OK with the color code? Question 4: Shall I keep the error table or is it misleading? root CA if I got C=US;O=ONAP;OU=OSAAF;CN=intermediateCA_9 => I consider the Root CA as OK => Validity is a green square if not => red circle Both indicators are independent we can be red with a good certificate Root CA and we can be green and have a red circle if the certificate is still valid but the Root CA not correct At the end the success criteria is False is 1 of the certificate is under 30 days or Root CA are not correct. It means that it will be FAIL until everything is fxed.. Question 5: success criteria => only expiration date or expiration date + root CA? Question 6: shall we plan a xfail list here? Question 7: Note I added the Cluster IP for information, any other info you would like to see in the table? I started working on the integration in CI Once open questions clarified, the code in integration repository will be merged I will create a xtesting docker (I did already one quickly in gitlab.com, I will create a new patch in ONAP as xtesting and its associated docker build chain has be reintegrated in ONAP repositories) I put this test in the infra-healthcheck docker (was almost ready from a dependency perspective) +--------------------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +--------------------------------+------------------+------------------+----------------+ | nodeport_check_certs | security | 00:02 | FAIL | +--------------------------------+------------------+------------------+----------------+ Once the new docker would be created, the test will be automatically run, I would 'just" need to adapt the dashboard to display the result of this test (daily and gating) /Morgan _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#21553): https://lists.onap.org/g/onap-discuss/message/21553 Mute This Topic: https://lists.onap.org/mt/75215203/21656 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
