From d4f8e43d64a88c8a6de885a314e767443ea6f5c8 Mon Sep 17 00:00:00 2001
From: Kyle MacLeod <kyle.macleod@windriver.com>
Date: Wed, 6 Oct 2021 15:37:47 -0400
Subject: [PATCH] Add timeout for get_endpoint_certificate

This commit works around the lack of a proper timeout in the
ssl.get_server_certificate() call. A proper timeout is available in
python 3.8+ (see https://bugs.python.org/issue31870).

We work around the lack of timeout by first attempting a basic socket
connection to the (host, port) with a short timeout (default: 10s). If
that is successful we can continue to fetch the server certificate;
otherwise we abandon the attempt.

Test Plan / Failure Path:

PASS: Verify proper timeout when subcloud is offline/shutdown
PASS: Verify proper behaviour when subcloud is available

Regression:
PASS: Verify feature logging

Story: 2008960
Task: 43545

Change-Id: If0f7c926e136fc776dbc74ed27b767af1af2cf80
Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
---
 modules/puppet-sysinv/src/sysinv/manifests/certmon.pp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
index ad6a6f1a2..51122f869 100644
--- a/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
+++ b/modules/puppet-sysinv/src/sysinv/manifests/certmon.pp
@@ -87,6 +87,7 @@ class sysinv::certmon (
     'certmon/network_max_retry': value => 5;
     'certmon/audit_batch_size': value => 10;
     'certmon/audit_greenpool_size': value => 4;
+    'certmon/certificate_timeout_secs': value => 10;
   }
 
   if $keystone_enabled {