API to get kube rootCA ID

The DC Kubernetes root CA audit was based on the cert expiration alarm.
We would like to switch to cert comparison to ensure the Kubernetes
root CA certs. For this purpose, this commit creates a new sub API to
get Kubernetes root CA ID from local.

Test plan:
1. Passed - Create ISO and deploy AIOSX and distributed cloud.
2. Passed - Run "system --debug  kube-rootca-get-cert-id", have the
expected response, and the cert ID was printed.

Story: 2010852
Task: 49091

Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: Ie78121d0c21d2c6033c8b5d4919e251fc4d98050

api-ref/source/api-ref-sysinv-v1-config.rst

@@ -12049,6 +12049,39 @@ unauthorized (401), forbidden (403), badMethod (405), overLimit (413)
 
 **Response parameters**
 
+.. csv-table::
+   :header: "Parameter", "Style", "Type", "Description"
+   :widths: 20, 20, 20, 60
+
+   "cert_id", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
+   "error", "plain", "xsd:string", "The error message in case something wrong happen on the API execution"
+
+::
+
+   {
+      "cert_id": "d70efa2daaee06f8-314121337707572303468615715651317888841",
+      "error": ""
+   }
+
+This operation does not accept a request body.
+
+***********************************
+Get existing kubernetes root ca ID
+***********************************
+
+.. rest_method:: Get /v1/kube_rootca_update/get_cert_id
+
+**Normal response codes**
+
+200
+
+**Error response codes**
+
+serviceUnavailable (503), badRequest (400), unauthorized (401),
+forbidden (403), badMethod (405), overLimit (413)
+
+**Response parameters**
+
 .. csv-table::
    :header: "Parameter", "Style", "Type", "Description"
    :widths: 20, 20, 20, 60

sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -44,6 +44,14 @@ class KubeRootCAUpdateManager(base.Manager):
         except IndexError:
             return []
 
+    def get_cert_id(self):
+        """Retrieve the existing kube rootca id."""
+
+        try:
+            return self._list(self._path('get_cert_id'))[0]
+        except IndexError:
+            return []
+
     def rootCA_upload(self, pem_content):
         """Retrieve the details of a given kubernetes rootca update.
 

sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update_shell.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -112,6 +112,18 @@ def do_kube_rootca_update_upload_cert(cc, args):
         print("Uploaded new rootca certificate: %s" % cert_upload.get("success"))
 
 
+def do_kube_rootca_get_cert_id(cc, args):
+    """Get existing kubernetes rootCA cert ID"""
+
+    certificate = cc.kube_rootca_update.get_cert_id()
+
+    if certificate.error:
+        print(certificate.error)
+    else:
+        # Show new rootca certificate identifier <issuer_hash>-<serial_number>
+        print(f"Existing rootca certificate: {certificate.cert_id}")
+
+
 @utils.arg('--expiry-date',
            default=None,
            help='Optional argument to define expiry date '

sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021 Wind River Systems, Inc.
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -376,6 +376,22 @@ class KubeRootCAHostUpdateListController(rest.RestController):
         return KubeRootCAHostUpdateCollection.convert_with_links(rpc_host_update_status_list)
 
 
+class KubeRootCACetCertIDController(rest.RestController):
+
+    @wsme_pecan.wsexpose(wtypes.text)
+    def get(self):
+        """Retrieves existing kubernetes rootca ID"""
+
+        try:
+            rootca_cert = pecan.request.rpcapi.get_current_kube_rootca_cert_id(
+                context=pecan.request.context)
+            return dict(cert_id=rootca_cert, error="")
+        except Exception as e:
+            msg = ("Failed to get the current kubernetes root CA certificate ID "
+                   f"by error: {e.message}.")
+            return dict(cert_id="", error=msg)
+
+
 class KubeRootCAUpdateController(rest.RestController):
     """REST controller for kubernetes rootCA updates."""
 
@@ -388,6 +404,8 @@ class KubeRootCAUpdateController(rest.RestController):
     pods = KubeRootCAPodsUpdateController()
     # Controller for /kube_rootca_update/hosts, list updates by hosts.
     hosts = KubeRootCAHostUpdateListController()
+    # Controller for /kube_rootca_update/get_cert_id, check existing root CA ID
+    get_cert_id = KubeRootCACetCertIDController()
 
     def __init__(self):
         self.fm_api = fm_api.FaultAPIs()

sysinv/sysinv/sysinv/sysinv/tests/api/test_kube_rootca_update.py

@@ -1,3 +1,9 @@
+#
+# Copyright (c) 2021-2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
 """
 Tests for the API /kube_rootca_update/ methods.
 """
@@ -480,6 +486,23 @@ class TestKubeRootCAUpdateComplete(TestKubeRootCAUpdate,
         self.assertNotEqual(update_entry, None)
 
 
+class TestKubeRootCAGetCertID(TestKubeRootCAUpdate,
+                              dbbase.ProvisionedControllerHostTestCase):
+
+    def setUp(self):
+        super(TestKubeRootCAGetCertID, self).setUp()
+
+    def test_get_ID(self):
+        response = self.get_json('/kube_rootca_update/get_cert_id',
+                                  expect_errors=True)
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(response.status_code, http_client.OK)
+        resp = json.loads(response.body)
+        self.assertTrue(resp.get('cert_id'))
+        self.assertEqual(resp.get('cert_id'), 'current_cert_serial')
+        self.assertFalse(resp.get('error'))
+
+
 class TestKubeRootCAUpload(TestKubeRootCAUpdate,
                         dbbase.ProvisionedControllerHostTestCase):