Improve kube-rootca-get-id API and error handling

This commit corrects a error in the API reference introduced in:
Ie78121d0c21d2c6033c8b5d4919e251fc4d98050.

This commit also improves the error handling to return understandable
error message, avoids print exception if the cert missed in the
file system.

Reduces the info logs from utils to prevent the dc audit dump too many
logs into the sysiv.log.

Test plan:
Passed - deploy an AIOSX, check the cert id by:
         system kube-rootca-get-cert-id.
Passed - manually remove the kube-rootca cert and key from the system,
         check the output of "system kube-rootca-get-cert-id", verified
         the error message w/o exceptions.
Passed - verify the dc audit doesn't dump logs about the cert id in
         sysinv.log.

Story: 2010852
Task: 49091

Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I47f1a9ca617bf0daf9c25e7b4552e52d3e9d1811

api-ref/source/api-ref-sysinv-v1-config.rst

@@ -12054,14 +12054,7 @@ unauthorized (401), forbidden (403), badMethod (405), overLimit (413)
    :widths: 20, 20, 20, 60
 
    "cert_id", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
-   "error", "plain", "xsd:string", "The error message in case something wrong happen on the API execution"
-
-::
-
-   {
-      "cert_id": "d70efa2daaee06f8-314121337707572303468615715651317888841",
-      "error": ""
-   }
+   "error", "plain", "xsd:string", "The error message in the event of execution failure"
 
 This operation does not accept a request body.
 
@@ -12086,16 +12079,17 @@ forbidden (403), badMethod (405), overLimit (413)
    :header: "Parameter", "Style", "Type", "Description"
    :widths: 20, 20, 20, 60
 
-   "success", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
-   "error", "plain", "xsd:string", "The error message in case something wrong happen on the API execution"
+   "cert_id", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
+   "error", "plain", "xsd:string", "The error message in the event of execution failure"
 
 ::
 
    {
-      "success": "d70efa2daaee06f8-314121337707572303468615715651317888841",
+      "cert_id": "d70efa2daaee06f8-314121337707572303468615715651317888841",
       "error": ""
    }
 
+
 This operation does not accept a request body.
 
 ******************************

sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py

@@ -50,7 +50,9 @@ class KubeRootCAUpdateManager(base.Manager):
         try:
             return self._list(self._path('get_cert_id'))[0]
         except IndexError:
-            return []
+            msg = ("Failed to find the current Kubernetes root CA certificate "
+                   "from file system")
+            return dict(cert_id="", error=msg)
 
     def rootCA_upload(self, pem_content):
         """Retrieve the details of a given kubernetes rootca update.

sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py

@@ -387,8 +387,9 @@ class KubeRootCACetCertIDController(rest.RestController):
                 context=pecan.request.context)
             return dict(cert_id=rootca_cert, error="")
         except Exception as e:
-            msg = ("Failed to get the current kubernetes root CA certificate ID "
-                   f"by error: {e.message}.")
+            msg = ("Failed to find the current Kubernetes root CA certificate "
+                   "from file system")
+            LOG.exception(e)
             return dict(cert_id="", error=msg)
 
 

sysinv/sysinv/sysinv/sysinv/common/utils.py

@@ -2747,8 +2747,8 @@ def get_cert_issuer_string_hash(cert):
         hashed_attributes = \
             hashlib.md5(issuer_attributes.encode()).hexdigest()[:16]
 
-        LOG.info("hashed issuer attributes %s from certificate "
-                % hashed_attributes)
+        LOG.debug("hashed issuer attributes %s from certificate "
+                 % hashed_attributes)
     except Exception:
         LOG.exception()
         raise exception.SysinvException(_(
@@ -2886,7 +2886,6 @@ def build_cert_identifier(cert):
     hash_subject = get_cert_issuer_string_hash(cert)
     serial_number = get_cert_serial(cert)
     cert_id = '%s-%s' % (hash_subject, serial_number)
-    LOG.info("%s is the identifier for the new root CA certificate" % cert_id)
     return cert_id
 
 

sysinv/sysinv/sysinv/sysinv/conductor/manager.py

@@ -17086,6 +17086,8 @@ class ConductorManager(service.PeriodicService):
             LOG.error(msg)
             return dict(success="", error=msg)
 
+        LOG.info(f"{new_cert_id} is the identifier for the new root CA "
+                 "certificate")
         return dict(success=new_cert_id, error="")
 
     def save_kubernetes_rootca_cert(self, context, ca_file):
@@ -17303,15 +17305,17 @@ class ConductorManager(service.PeriodicService):
 
         # extract information regarding the new rootca
         try:
-            new_cert = cutils.build_cert_identifier(certs[0])
+            new_cert_id = cutils.build_cert_identifier(certs[0])
         except Exception:
             msg = "Failed to extract issuer and serial number from new root CA"
             LOG.error(msg)
             return dict(success="", error=msg)
 
+        LOG.info(f"{new_cert_id} is the identifier for the new root CA "
+                 "certificate")
         # update db
         update_obj = {'state': kubernetes.KUBE_ROOTCA_UPDATE_CERT_GENERATED,
-                      'to_rootca_cert': new_cert}
+                      'to_rootca_cert': new_cert_id}
 
         r = self.dbapi.kube_rootca_update_update(update.id, update_obj)
         return dict(success=r.to_rootca_cert, error="")