Handle exporter tls public secret

- enable ssl verification for exporter collectors

Related-Prod: PRODX-50285
Change-Id: I7a10802c0b98ed8f2107b9ca8c193504e5a6c6fe

Author: vardenbb

charts/rockoon/templates/exporter.yaml

@@ -110,11 +110,19 @@ spec:
               mountPath: /etc/openstack/
             - name: exporter-etc
               mountPath: /etc/rockoon/exporter
+            - name: ca-cert
+              mountPath: /usr/local/share/ca-certificates/osdpl/
+              readOnly: true
       volumes:
         - name: os-clouds
           secret:
             secretName: keystone-os-clouds
             defaultMode: 365
+        - name: ca-cert
+          secret:
+            secretName: exporter-ca-cert
+            optional: true
+            defaultMode: 420
         - name: exporter-etc
           secret:
             secretName: {{ include "rockoon.fullname" . }}-exporter-etc

rockoon/constants.py

@@ -159,6 +159,8 @@ class K8sObjHealth(enum.Enum):
 
 COMPUTE_NODE_CONTROLLER_SECRET_NAME = "keystone-os-clouds"
 LIBVIRT_SERVER_TLS_SECRET_NAME = "libvirt-server-tls"
+EXPORTER_CA_CERT_SECRET_NAME = "exporter-ca-cert"
+EXPORTER_NAMESPACE = "osh-system"
 
 SLURP_RELEASES = ["yoga", "antelope", "caracal"]
 

rockoon/controllers/secrets.py

@@ -518,3 +518,39 @@ def handle_keystone_osclouds_secret(
     }
 
     secrets.ExternalCredentialSecret("identity").save(encoded_ext_data)
+
+
+@kopf.on.create(
+    "",
+    "v1",
+    "secrets",
+    when=lambda name, **_: "keystone-tls-public" in name,
+)
+@kopf.on.resume(
+    "",
+    "v1",
+    "secrets",
+    when=lambda name, **_: "keystone-tls-public" in name,
+)
+@kopf.on.update(
+    "",
+    "v1",
+    "secrets",
+    when=lambda name, **_: "keystone-tls-public" in name,
+)
+def handle_exporter_ca_cert_secret(
+    body,
+    meta,
+    name,
+    status,
+    logger,
+    diff,
+    **kwargs,
+):
+    LOG.debug(f"Handling secret create/update {name}")
+
+    utils.log_changes(kwargs.get("old", {}), kwargs.get("new", {}))
+
+    ca_data = body["data"]["ca.crt"]
+    secret_data = {"ca.crt": ca_data}
+    secrets.ExporterCaCertSecret().save(secret_data)

rockoon/exporter/collectors/openstack/api.py

@@ -20,6 +20,7 @@
 from prometheus_client.core import GaugeMetricFamily
 
 from rockoon import utils
+from rockoon.exporter import settings
 from rockoon.exporter.collectors.openstack import base
 
 
@@ -28,12 +29,16 @@
 
 def check_endpoint(url, service_type, service_name, headers):
     result = {"success": True}
-    # TODO(vsaienko): mount ssl ca_cert from osdpl and use here.
     try:
         requests.packages.urllib3.disable_warnings(
             category=InsecureRequestWarning
         )
-        resp = requests.get(url, timeout=10, verify=False, headers=headers)
+        resp = requests.get(
+            url,
+            timeout=10,
+            verify=settings.OSCTL_EXPORTER_CA_CERT_PATH,
+            headers=headers,
+        )
         if resp.status_code >= 500:
             LOG.warning(
                 f"Got bad responce code {resp.status_code} from {url}."

rockoon/exporter/collectors/openstack/horizon.py

@@ -11,6 +11,7 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
+import hashlib
 import html.parser
 import http.cookiejar
 import ssl
@@ -22,6 +23,7 @@
 from prometheus_client.core import GaugeMetricFamily
 
 from rockoon import utils
+from rockoon.exporter import settings
 from rockoon.exporter.collectors.openstack import base
 
 LOG = utils.get_logger(__name__)
@@ -68,7 +70,8 @@ class OsdplHorizonMetricCollector(base.OpenStackBaseMetricCollector):
     is_service_available = True
 
     def __init__(self):
-        self.opener = None
+        self._opener = None
+        self.ca_cert_checksum = None
         self.cookie_jar = http.cookiejar.CookieJar()
         super().__init__()
 
@@ -109,19 +112,17 @@ def dashboard_url(self):
         public_domain_name = self.osdpl.mspec["public_domain_name"]
         return f"https://horizon.{public_domain_name}/"
 
-    def check_login_page(self, dashboard_url, timeout=10):
+    def check_login_page(self, opener, dashboard_url, timeout=10):
         start_time = perf_counter()
-        response = (
-            self._get_opener().open(dashboard_url, timeout=timeout).read()
-        )
+        response = opener.open(dashboard_url, timeout=timeout).read()
         if "id_username" not in response.decode("utf-8"):
             raise ValueError("Cannot find 'id_username' in login page")
         end_time = perf_counter()
         return end_time - start_time
 
-    def check_user_login(self, dashboard_url, credentials, timeout=10):
+    def check_user_login(self, opener, dashboard_url, credentials, timeout=10):
         start_time = perf_counter()
-        response = self._get_opener().open(dashboard_url).read()
+        response = opener.open(dashboard_url).read()
 
         # Grab the CSRF token and default region
         parser = HorizonHTMLParser()
@@ -143,39 +144,41 @@ def check_user_login(self, dashboard_url, credentials, timeout=10):
             "domain": credentials["user_domain_name"],
             "csrfmiddlewaretoken": parser.csrf_token,
         }
-        self._get_opener().open(
-            req, parse.urlencode(params).encode(), timeout=timeout
-        )
+        opener.open(req, parse.urlencode(params).encode(), timeout=timeout)
 
-        response = (
-            self._get_opener().open(dashboard_url, timeout=timeout).read()
-        )
+        response = opener.open(dashboard_url, timeout=timeout).read()
         if "Overview" not in response.decode("utf-8"):
             raise ValueError("Cannot find 'Overview' in home page")
         end_time = perf_counter()
         return end_time - start_time
 
-    def _get_opener(self):
-        if not self.opener:
-            # TODO(dbiletskyi): add ssl verify here
-            ctx = ssl.create_default_context()
-            ctx.check_hostname = False
-            ctx.verify_mode = ssl.CERT_NONE
-            self.opener = request.build_opener(
-                request.HTTPSHandler(context=ctx),
-                request.HTTPCookieProcessor(self.cookie_jar),
-            )
-        return self.opener
+    @property
+    def opener(self):
+        with open(settings.OSCTL_EXPORTER_CA_CERT_PATH, "rb") as f:
+            current_checksum = hashlib.sha256(f.read()).hexdigest()
+        if self.ca_cert_checksum == current_checksum and self._opener:
+            return self._opener
+
+        self.ca_cert_checksum = current_checksum
+        ctx = ssl.create_default_context(
+            cafile=settings.OSCTL_EXPORTER_CA_CERT_PATH
+        )
+        self._opener = request.build_opener(
+            request.HTTPSHandler(context=ctx),
+            request.HTTPCookieProcessor(self.cookie_jar),
+        )
+        return self._opener
 
     @utils.timeit
     def update_login_samples(self):
         login_success_status = 0
         login_latency_samples = []
         try:
             self.cookie_jar.clear()
+            opener = self.opener
             credentials = self.get_credentials()
             dashboard_url = self.dashboard_url
-            login_page_latency = self.check_login_page(dashboard_url)
+            login_page_latency = self.check_login_page(opener, dashboard_url)
             login_latency_samples.append(
                 (
                     [
@@ -186,7 +189,7 @@ def update_login_samples(self):
                 )
             )
             login_success_latency = self.check_user_login(
-                dashboard_url, credentials
+                opener, dashboard_url, credentials
             )
             login_latency_samples.append(
                 (

rockoon/exporter/settings.py

@@ -33,3 +33,8 @@
 # Number of seconds we can wait for polling tasks before return cached result
 # Should be lover than prometheus scrape_timeout which is 1m by default.
 OSCTL_SCRAPE_TIMEOUT = int(os.getenv("OSCTL_SCRAPE_TIMEOUT", "45"))
+
+OSCTL_EXPORTER_CA_CERT_PATH = os.getenv(
+    "OSCTL_EXPORTER_CA_CERT_PATH",
+    "/usr/local/share/ca-certificates/osdpl/ca.crt",
+)

rockoon/secrets.py

@@ -1209,6 +1209,13 @@ def __init__(
         self.secret_name = f"openstack-{name}-credentials"
 
 
+class ExporterCaCertSecret(SecretCopy):
+    secret_name = constants.EXPORTER_CA_CERT_SECRET_NAME
+
+    def __init__(self, namespace=constants.EXPORTER_NAMESPACE):
+        super().__init__(namespace)
+
+
 @dataclass
 class OpenStackIAMData:
     clientId: str