From 023c01106340a7b6160cb055db951a6cbe07f1ae Mon Sep 17 00:00:00 2001
From: David Sullivan <david.sullivan@windriver.com>
Date: Tue, 18 Jun 2019 09:46:17 -0400
Subject: [PATCH] Support adding a trusted CA certificate in ansible

Some parts of the ansible playbook may require installing a trusted CA
cert on the system. For example specifying a docker registry using a
self signed cert.

This change will allow the ansible playbook to call the system
certificate-install command during initial config.

Change-Id: Ic094837388b0fb644d647e693314dd3abaab1266
Signed-off-by: David Sullivan <david.sullivan@windriver.com>
Partial-Bug: 1831946
---
 .../src/modules/platform/manifests/config.pp   | 18 +++++++++++++++++-
 .../sysinv/sysinv/sysinv/conductor/manager.py  |  3 ++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/puppet-manifests/src/modules/platform/manifests/config.pp b/puppet-manifests/src/modules/platform/manifests/config.pp
index 90200f3a4c..7c00ae4da1 100644
--- a/puppet-manifests/src/modules/platform/manifests/config.pp
+++ b/puppet-manifests/src/modules/platform/manifests/config.pp
@@ -251,6 +251,13 @@ class platform::config::certs::ssl_ca
   inherits ::platform::config::certs::params {
 
   $ssl_ca_file = '/etc/pki/ca-trust/source/anchors/ca-cert.pem'
+  if str2bool($::is_initial_config) {
+    $docker_restart_cmd = 'systemctl restart docker'
+  }
+  else {
+    $docker_restart_cmd = 'pmon-restart dockerd'
+  }
+
   if ! empty($ssl_ca_cert) {
     file { 'create-ssl-ca-cert':
       ensure  => present,
@@ -273,10 +280,19 @@ class platform::config::certs::ssl_ca
     refreshonly => true
   }
   -> exec { 'restart docker':
-    command     => 'pmon-restart dockerd',
+    command     => $docker_restart_cmd,
     subscribe   => File[$ssl_ca_file],
     refreshonly => true
   }
+  if str2bool($::is_controller_active) {
+    Exec['restart docker']
+    -> file { '/etc/platform/.ssl_ca_complete':
+      ensure => present,
+      owner  => root,
+      group  => root,
+      mode   => '0644',
+    }
+  }
 }
 
 
diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
index ad52eb009c..99db8f5339 100644
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@@ -10309,7 +10309,8 @@ class ConductorManager(service.PeriodicService):
             }
             self._config_apply_runtime_manifest(context,
                                                 config_uuid,
-                                                config_dict)
+                                                config_dict,
+                                                force=True)
         elif mode == constants.CERT_MODE_DOCKER_REGISTRY:
             LOG.info("Docker registry certificate install")
             # docker registry requires a PKCS1 key for the token server