Add alarm IDs for expiring-soon & expired certificates

Added two new alarm IDs and details for expiring-soon and expired certificates. Story: 2008946 Task: 43049 Signed-off-by: Sabeel Ansari <Sabeel.Ansari@windriver.com> Change-Id: I61cb835c38473cef61238de8cf4a21361e123da4
2021-08-18 15:02:35 -04:00 · 2021-08-18 15:02:35 -04:00 · cdf8dc6f6e
commit cdf8dc6f6e
parent 83f5caa9b7
2 changed files with 61 additions and 1 deletions
--- a/fm-api/fm_api/constants.py
+++ b/fm-api/fm_api/constants.py
@ -39,6 +39,7 @@ FM_ENTITY_TYPE_STORAGE_BACKEND = 'storage_backend'
 FM_ENTITY_TYPE_IMAGE_CONVERSION = 'fs_name'
 FM_ENTITY_TYPE_SUBCLOUD = 'subcloud'
 FM_ENTITY_TYPE_APPLICATION = 'k8s_application'
+FM_ENTITY_TYPE_CERTIFICATE = 'certificate'

 # alarm service sub entity values
 FM_SERVICE_NETWORKING = 'networking'
@ -301,13 +302,16 @@ FM_ALARM_ID_KUBE_ROOTCA_UPDATE_IN_PROGRESS = ALARM_GROUP_SW_MGMT + ".008"
 FM_LOG_ID_INVALID_PASSWORD = ALARM_GROUP_SECURITY + ".001"
 FM_LOG_ID_USER_LOCKOUT = ALARM_GROUP_SECURITY + ".002"

-
 # Security alarm id
 FM_ALARM_ID_TPM_INIT = ALARM_GROUP_SECURITY + ".100"

 # Security nonstandard certificate in use for patching alarm id
 FM_ALARM_ID_NONSTANDARD_CERT_PATCH = ALARM_GROUP_SECURITY + ".101"

+# Security ExpiringSoon & Expired Certificates
+FM_ALARM_ID_CERT_EXPIRING_SOON = ALARM_GROUP_SECURITY + ".200"
+FM_ALARM_ID_CERT_EXPIRED = ALARM_GROUP_SECURITY + ".210"
+
 # Software Update Orchestration
 FM_ALARM_ID_SW_PATCH_AUTO_APPLY_INPROGRESS = ALARM_GROUP_SW_MGMT + ".101"
 FM_ALARM_ID_SW_PATCH_AUTO_APPLY_ABORTING = ALARM_GROUP_SW_MGMT + ".102"
@ -496,6 +500,7 @@ ALARM_PROBABLE_CAUSE_73 = 'key-expired'
 ALARM_PROBABLE_CAUSE_74 = 'out-of-hours-activity'
 ALARM_PROBABLE_CAUSE_75 = 'configuration-out-of-date'
 ALARM_PROBABLE_CAUSE_76 = 'configuration-provisioning-required'
+ALARM_PROBABLE_CAUSE_77 = 'certificate-expiration'
 ALARM_PROBABLE_CAUSE_UNKNOWN = 'unknown'

 ALARM_STATE = [FM_ALARM_STATE_SET, FM_ALARM_STATE_CLEAR,
@ -551,6 +556,7 @@ ALARM_PROBABLE_CAUSE = [ALARM_PROBABLE_CAUSE_1, ALARM_PROBABLE_CAUSE_2,
                        ALARM_PROBABLE_CAUSE_71, ALARM_PROBABLE_CAUSE_72,
                        ALARM_PROBABLE_CAUSE_73, ALARM_PROBABLE_CAUSE_74,
                        ALARM_PROBABLE_CAUSE_75, ALARM_PROBABLE_CAUSE_76,
+                        ALARM_PROBABLE_CAUSE_77,
                        ALARM_PROBABLE_CAUSE_UNKNOWN]


--- a/fm-doc/fm_doc/events.yaml
+++ b/fm-doc/fm_doc/events.yaml
@ -1354,6 +1354,60 @@
    Management_Affecting_Severity: none
    Degrade_Affecting_Severity: none

+500.200:
+    Type: Alarm
+    Description: |-
+        Certificate ‘system certificate-show <uuid>' (mode=<ssl/ssl_ca/docker_registry/openstack/openstack_ca>) expiring soon on <date>.
+        OR
+        Certificate ‘<Namespace>/<Certificate/Secret>’ expiring soon on <date>.
+        OR
+        Certificate ‘<k8sRootCA/EtcdCA>’ expiring soon on <date>.
+    Entity_Instance_ID: |-
+        system.certificate.mode=<mode>.uuid=<uuid>
+        OR
+        namespace=<namespace-name>.certificate=<certificate-name>
+        OR
+        namespace=<namespace-name>.secret=<secret-name>
+        OR
+        system.certificate.k8sRootCA
+    Severity: major
+    Proposed_Repair_Action: Renew certificate for the entity identified
+    Maintenance_Action:
+    Inhibit_Alarms:
+    Alarm_Type: operational-violation
+    Probable_Cause: certificate-expiration
+    Service_Affecting: False
+    Suppression: False
+    Management_Affecting_Severity: none
+    Degrade_Affecting_Severity: none
+
+500.210:
+    Type: Alarm
+    Description: |-
+        Certificate ‘system certificate-show <uuid>' (mode=<ssl/ssl_ca/docker_registry/openstack/openstack_ca>) expired.
+        OR
+        Certificate ‘<Namespace>/<Certificate/Secret>’ expired.
+        OR
+        Certificate ‘<k8sRootCA/EtcdRootCA>’ expired.
+    Entity_Instance_ID: |-
+        system.certificate.mode=<mode>.uuid=<uuid>
+        OR
+        namespace=<namespace-name>.certificate=<certificate-name>
+        OR
+        namespace=<namespace-name>.secret=<secret-name>
+        OR
+        system.certificate.k8sRootCA
+    Severity: critical
+    Proposed_Repair_Action: Renew certificate for the entity identified
+    Maintenance_Action:
+    Inhibit_Alarms:
+    Alarm_Type: operational-violation
+    Probable_Cause: certificate-expiration
+    Service_Affecting: False
+    Suppression: False
+    Management_Affecting_Severity: none
+    Degrade_Affecting_Severity: none
+
 500.500:
    Type: Log
    Description: "Host <host_name> has IMA Appraisal failure for service <service> when executing <file>, reason = <reason_text>]"