From fc56d7a0fa3bef02c40c453b1baf916312af44a6 Mon Sep 17 00:00:00 2001
From: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
Date: Wed, 4 Oct 2023 17:04:48 -0400
Subject: [PATCH] Check/issue platform certs in DX upgrade

Included upgrade script to verify the existence and issue if necessary
the now (after this Story) required platform certificates (REST API &
Web Server, Docker Registry and local OpenLDAP), using the
'system-local-ca' ClusterIssuer for DX systems.

These changes are dormant. The upgrade script will not be triggered
unless a specific file used as feature flag is present in the system.
This will prevent interfering with current behavior until the whole
feature is completed.

The proper system upgrades tests will be done together when the
support for DC systems is concluded in a future task for this Story.

Test plan:
PASS: Deploy AIO-SX and AIO-DX, providing the CA cert in
      'system-local-ca' overrides and the flag. Verified that:
      - HTTPS is enabled correctly after unlocking the controller.
      - The certificate under '/etc/ssl/private/' is correct.
      - HTTP is disabled correctly after deleting the certificate and
        using the 'system modify' API to disable it.

PASS: Execute the upgrade script manually and verify that the required
      platform certificates are not altered.

PASS: Delete the required platform certificates. Execute the upgrade
      script manually and verify that the required platform
      certificates are issued.

Story: 2009811
Task: 48891
Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/897364

Change-Id: Ie628f24ce11fe7ad5aafb1e526320a4e943be547
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
---
 .../81-create-required-platform-certs.py      | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 controllerconfig/controllerconfig/upgrade-scripts/81-create-required-platform-certs.py

diff --git a/controllerconfig/controllerconfig/upgrade-scripts/81-create-required-platform-certs.py b/controllerconfig/controllerconfig/upgrade-scripts/81-create-required-platform-certs.py
new file mode 100644
index 0000000000..662121f37a
--- /dev/null
+++ b/controllerconfig/controllerconfig/upgrade-scripts/81-create-required-platform-certs.py
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# This script creates required platform certificates for DX systems.
+# SX systems leverage the execution ansible upgrade playbook for this.
+#
+# Note: A file is used as temporary feature flag for
+#       https://storyboard.openstack.org/#!/story/2009811
+#       to avoid interfering with current behavior before the feature is
+#       completed (see variable 'feature_flag').
+#
+
+import subprocess
+import sys
+import os.path
+from controllerconfig.common import log
+LOG = log.get_logger(__name__)
+
+
+def get_system_mode():
+    # get system_mode from platform.conf
+    lines = [line.rstrip('\n') for line in
+             open('/etc/platform/platform.conf')]
+    for line in lines:
+        values = line.split('=')
+        if values[0] == 'system_mode':
+            return values[1]
+    return None
+
+
+def create_platform_certificates():
+    """Run ansible playbook to create platform certificates
+    """
+    playbooks_root = '/usr/share/ansible/stx-ansible/playbooks'
+    upgrade_script = 'create-platform-certificates-in-upgrade.yml'
+    cmd = 'ansible-playbook {}/{}'.format(playbooks_root, upgrade_script)
+    sub = subprocess.Popen(cmd, shell=True,
+                           stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = sub.communicate()
+    if sub.returncode != 0:
+        LOG.error('Command failed:\n %s\n. %s\n%s' % (cmd, stdout, stderr))
+        raise Exception('Cannot create platform certificates.')
+    LOG.info('Successfully created platform certificates.')
+
+
+def main():
+    action = None
+    from_release = None
+    to_release = None
+    arg = 1
+    while arg < len(sys.argv):
+        if arg == 1:
+            from_release = sys.argv[arg]
+        elif arg == 2:
+            to_release = sys.argv[arg]
+        elif arg == 3:
+            action = sys.argv[arg]
+        else:
+            print("Invalid option %s." % sys.argv[arg])
+            return 1
+        arg += 1
+    log.configure()
+
+    # Temporary feature flag file
+    config_dir = '/opt/platform/config/' + to_release
+    feature_flag = config_dir + '/.create_platform_certificates'
+
+    if (action == 'activate' and
+            from_release == '22.12' and
+            os.path.exists(feature_flag)):
+        LOG.info("%s invoked with from_release = %s to_release = %s "
+                 "action = %s"
+                 % (sys.argv[0], from_release, to_release, action))
+
+        mode = get_system_mode()
+
+        if mode == 'simplex':
+            LOG.info("%s: System mode is %s. No actions required."
+                     % (sys.argv[0], mode))
+            return 0
+
+        create_platform_certificates()
+
+
+if __name__ == "__main__":
+    sys.exit(main())