Merge "Avoid self-signed cert creation for HTTPS"

2023-12-18 14:34:54 +00:00 · 2023-12-18 14:34:54 +00:00 · 4189d9a116
parent 6b6d7b0462 f23b3f1a89
commit 4189d9a116
3 changed files with 19 additions and 8 deletions
--- a/sysinv/sysinv/sysinv/sysinv/common/constants.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/constants.py
@ -2320,6 +2320,10 @@ CERT_MODE_TO_SECRET_NAME = {
    CERT_MODE_OPENLDAP: OPENLDAP_CERT_SECRET_NAME
 }

+# Create RestAPI/GUI and Docker Registry certificates from bootstrap
+CREATE_PLATFORM_CERTIFICATES_IN_BOOTSTRAP = os.path.join(tsc.CONFIG_PATH,
+                                                         ".create_platform_certificates")
+
 # Storage associated networks
 SB_SUPPORTED_NETWORKS = {
    SB_TYPE_CEPH: [NETWORK_TYPE_MGMT, NETWORK_TYPE_CLUSTER_HOST]
--- a/sysinv/sysinv/sysinv/sysinv/common/utils.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/utils.py
@ -2389,6 +2389,12 @@ def is_fqdn_ready_to_use():
    return False


+def is_platform_certificates_creation_enabled():
+    """Check if RestAPI/GUI and Docker Registry are to be created by bootstrap
+    """
+    return os.path.isfile(constants.CREATE_PLATFORM_CERTIFICATES_IN_BOOTSTRAP)
+
+
 def is_std_system(dbapi):
    system = dbapi.isystem_get_one()
    return system.system_type == constants.TIS_STD_BUILD
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@ -8765,15 +8765,16 @@ class ConductorManager(service.PeriodicService):
        :param context: an admin context.
        """
        personalities = [constants.CONTROLLER]
-        system = self.dbapi.isystem_get_one()

-        if system.capabilities.get('https_enabled', False):
-            certificates = self.dbapi.certificate_get_list()
-            for certificate in certificates:
-                if certificate.certtype == constants.CERT_MODE_SSL:
-                    break
-            else:
-                self._config_selfsigned_certificate(context)
+        if not cutils.is_platform_certificates_creation_enabled():
+            system = self.dbapi.isystem_get_one()
+            if system.capabilities.get('https_enabled', False):
+                certificates = self.dbapi.certificate_get_list()
+                for certificate in certificates:
+                    if certificate.certtype == constants.CERT_MODE_SSL:
+                        break
+                else:
+                    self._config_selfsigned_certificate(context)

        config_dict = {
            "personalities": personalities,