Check/issue platform certs in DX upgrade

Included upgrade script to verify the existence and issue if necessary the now (after this Story) required platform certificates (REST API & Web Server, Docker Registry and local OpenLDAP), using the 'system-local-ca' ClusterIssuer for DX systems. These changes are dormant. The upgrade script will not be triggered unless a specific file used as feature flag is present in the system. This will prevent interfering with current behavior until the whole feature is completed. The proper system upgrades tests will be done together when the support for DC systems is concluded in a future task for this Story. Test plan: PASS: Deploy AIO-SX and AIO-DX, providing the CA cert in 'system-local-ca' overrides and the flag. Verified that: - HTTPS is enabled correctly after unlocking the controller. - The certificate under '/etc/ssl/private/' is correct. - HTTP is disabled correctly after deleting the certificate and using the 'system modify' API to disable it. PASS: Execute the upgrade script manually and verify that the required platform certificates are not altered. PASS: Delete the required platform certificates. Execute the upgrade script manually and verify that the required platform certificates are issued. Story: 2009811 Task: 48891 Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/897364 Change-Id: Ie628f24ce11fe7ad5aafb1e526320a4e943be547 Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
2023-10-04 17:04:48 -04:00 · 2023-10-04 17:04:48 -04:00 · fc56d7a0fa
parent 966f15f3fc
commit fc56d7a0fa
1 changed files with 88 additions and 0 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/81-create-required-platform-certs.py
+++ b/controllerconfig/controllerconfig/upgrade-scripts/81-create-required-platform-certs.py
@ -0,0 +1,88 @@
+#!/usr/bin/python
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script creates required platform certificates for DX systems.
+# SX systems leverage the execution ansible upgrade playbook for this.
+#
+# Note: A file is used as temporary feature flag for
+#       https://storyboard.openstack.org/#!/story/2009811
+#       to avoid interfering with current behavior before the feature is
+#       completed (see variable 'feature_flag').
+#
+
+import subprocess
+import sys
+import os.path
+from controllerconfig.common import log
+LOG = log.get_logger(__name__)
+
+
+def get_system_mode():
+    # get system_mode from platform.conf
+    lines = [line.rstrip('\n') for line in
+             open('/etc/platform/platform.conf')]
+    for line in lines:
+        values = line.split('=')
+        if values[0] == 'system_mode':
+            return values[1]
+    return None
+
+
+def create_platform_certificates():
+    """Run ansible playbook to create platform certificates
+    """
+    playbooks_root = '/usr/share/ansible/stx-ansible/playbooks'
+    upgrade_script = 'create-platform-certificates-in-upgrade.yml'
+    cmd = 'ansible-playbook {}/{}'.format(playbooks_root, upgrade_script)
+    sub = subprocess.Popen(cmd, shell=True,
+                           stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = sub.communicate()
+    if sub.returncode != 0:
+        LOG.error('Command failed:\n %s\n. %s\n%s' % (cmd, stdout, stderr))
+        raise Exception('Cannot create platform certificates.')
+    LOG.info('Successfully created platform certificates.')
+
+
+def main():
+    action = None
+    from_release = None
+    to_release = None
+    arg = 1
+    while arg < len(sys.argv):
+        if arg == 1:
+            from_release = sys.argv[arg]
+        elif arg == 2:
+            to_release = sys.argv[arg]
+        elif arg == 3:
+            action = sys.argv[arg]
+        else:
+            print("Invalid option %s." % sys.argv[arg])
+            return 1
+        arg += 1
+    log.configure()
+
+    # Temporary feature flag file
+    config_dir = '/opt/platform/config/' + to_release
+    feature_flag = config_dir + '/.create_platform_certificates'
+
+    if (action == 'activate' and
+            from_release == '22.12' and
+            os.path.exists(feature_flag)):
+        LOG.info("%s invoked with from_release = %s to_release = %s "
+                 "action = %s"
+                 % (sys.argv[0], from_release, to_release, action))
+
+        mode = get_system_mode()
+
+        if mode == 'simplex':
+            LOG.info("%s: System mode is %s. No actions required."
+                     % (sys.argv[0], mode))
+            return 0
+
+        create_platform_certificates()
+
+
+if __name__ == "__main__":
+    sys.exit(main())