domino_admin_toolkit.checks.info.test_certificate_inventory module

Args:: data: One row dict (TRow). The Runner calls this once per DataFrame row.
Returns:: List[CheckResult]: A list containing the results of the analysis.
Raises:: NotImplementedError: If this method is not implemented by subclasses.

name: ClassVar[str] = 'CertificateInventoryAnalyzer'

pydantic model domino_admin_toolkit.checks.info.test_certificate_inventory.ChainValidationAnalyzer

Bases: AnalyzerBase[ChainValidationRow]

Verdicts per multi-cert bundle on chain structural integrity and chain expiry warnings.

Emits up to two WARN results per bundle: one for structural break (if chain_valid is False) and one for chain-expiry warnings (if any cert in the chain is expired or expiring within 30 days). Both signals can fire independently so neither buries the other in the report.

Fields:

analyze(data)

Analyzes one row and returns a list of CheckResult instances.

Return type:: list[CheckResult]

Args:: data: One row dict (TRow). The Runner calls this once per DataFrame row.
Returns:: List[CheckResult]: A list containing the results of the analysis.
Raises:: NotImplementedError: If this method is not implemented by subclasses.

name: ClassVar[str] = 'ChainValidationAnalyzer'

class domino_admin_toolkit.checks.info.test_certificate_inventory.ChainValidationRow

Bases: TypedDict

cert_field: str

chain_break_issues: str

chain_expiry_issues: str

chain_valid: bool

namespace: str

secret_name: str

total_certs: int

domino_admin_toolkit.checks.info.test_certificate_inventory.test_certificate_chain_validation(chain_validation_data, runner)

Description:

Validates certificate chain structural integrity for multi-cert bundles. Verdicts are emitted per bundle, not per cert — so a single broken chain produces at most one structural-break warning rather than N (one per cert in the bundle). A bundle with both a structural break and expiring intermediate-CA certs produces two WARNs (one of each kind), so neither signal hides the other. Single-cert bundles have no chain to validate and are omitted from this report.

chain_valid reflects only structural integrity (issuer ↔ subject continuity). Chain-cert expiry warnings are surfaced separately in chain_expiry_issues.

Warning Conditions:

Chain has a broken trust relationship (issuer/subject mismatch between adjacent certs)
Any cert in the chain is expired or expiring within 30 days

Empty Data Behavior:

The check soft-passes via on_empty=Status.PASS when no multi-cert bundles exist; this is normal in deployments where every TLS Secret holds a single cert.

Troubleshooting Steps:

Inspect the full bundle: kubectl -n <ns> get secret <name> -o jsonpath=’{.data.tls.crt}’ | base64 -d | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout
Verify chain order — leaf first, intermediates next, root optional last: openssl verify -CAfile <ca-bundle> <leaf-cert>

Resolution Steps:

For chain breaks: add the missing intermediate CA cert to the Secret’s bundle, or rotate the certificate via cert-manager.
For chain expiry warnings: renew the affected cert (often an intermediate CA) and re-bundle the Secret.

Required Permissions:

kubectl read access to Secrets in all cluster namespaces

See also:

test_certificate_inventory — per-cert inventory, expiry, and self-signed status
test_tls_secret_expiration.py — actionable per-cert expiry check
test_cert_manager.py — cert-manager controller and CRD health

domino_admin_toolkit.checks.info.test_certificate_inventory.test_certificate_inventory(certificate_inventory_data, runner)