From bc40879eca0969fffbf483d4b2d397c05f6a038d Mon Sep 17 00:00:00 2001
From: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Date: Thu, 23 Nov 2023 09:56:16 -0500
Subject: [PATCH] Improve kube-rootca-get-id API and error handling

This commit corrects a error in the API reference introduced in:
Ie78121d0c21d2c6033c8b5d4919e251fc4d98050.

This commit also improves the error handling to return understandable
error message, avoids print exception if the cert missed in the
file system.

Reduces the info logs from utils to prevent the dc audit dump too many
logs into the sysiv.log.

Test plan:
Passed - deploy an AIOSX, check the cert id by:
         system kube-rootca-get-cert-id.
Passed - manually remove the kube-rootca cert and key from the system,
         check the output of "system kube-rootca-get-cert-id", verified
         the error message w/o exceptions.
Passed - verify the dc audit doesn't dump logs about the cert id in
         sysinv.log.

Story: 2010852
Task: 49091

Signed-off-by: Yuxing Jiang <Yuxing.Jiang@windriver.com>
Change-Id: I47f1a9ca617bf0daf9c25e7b4552e52d3e9d1811
---
 api-ref/source/api-ref-sysinv-v1-config.rst      | 16 +++++-----------
 .../cgtsclient/v1/kube_rootca_update.py          |  4 +++-
 .../api/controllers/v1/kube_rootca_update.py     |  5 +++--
 sysinv/sysinv/sysinv/sysinv/common/utils.py      |  5 ++---
 sysinv/sysinv/sysinv/sysinv/conductor/manager.py |  8 ++++++--
 5 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/api-ref/source/api-ref-sysinv-v1-config.rst b/api-ref/source/api-ref-sysinv-v1-config.rst
index fbc5e0ae35..e17b11015a 100644
--- a/api-ref/source/api-ref-sysinv-v1-config.rst
+++ b/api-ref/source/api-ref-sysinv-v1-config.rst
@@ -12054,14 +12054,7 @@ unauthorized (401), forbidden (403), badMethod (405), overLimit (413)
    :widths: 20, 20, 20, 60
 
    "cert_id", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
-   "error", "plain", "xsd:string", "The error message in case something wrong happen on the API execution"
-
-::
-
-   {
-      "cert_id": "d70efa2daaee06f8-314121337707572303468615715651317888841",
-      "error": ""
-   }
+   "error", "plain", "xsd:string", "The error message in the event of execution failure"
 
 This operation does not accept a request body.
 
@@ -12086,16 +12079,17 @@ forbidden (403), badMethod (405), overLimit (413)
    :header: "Parameter", "Style", "Type", "Description"
    :widths: 20, 20, 20, 60
 
-   "success", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
-   "error", "plain", "xsd:string", "The error message in case something wrong happen on the API execution"
+   "cert_id", "plain", "xsd:string", "Certificate identifier composed by a combination of  <issuer_hash>-<serial_number>"
+   "error", "plain", "xsd:string", "The error message in the event of execution failure"
 
 ::
 
    {
-      "success": "d70efa2daaee06f8-314121337707572303468615715651317888841",
+      "cert_id": "d70efa2daaee06f8-314121337707572303468615715651317888841",
       "error": ""
    }
 
+
 This operation does not accept a request body.
 
 ******************************
diff --git a/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py b/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py
index dd19d89685..8b228634c9 100644
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/kube_rootca_update.py
@@ -50,7 +50,9 @@ class KubeRootCAUpdateManager(base.Manager):
         try:
             return self._list(self._path('get_cert_id'))[0]
         except IndexError:
-            return []
+            msg = ("Failed to find the current Kubernetes root CA certificate "
+                   "from file system")
+            return dict(cert_id="", error=msg)
 
     def rootCA_upload(self, pem_content):
         """Retrieve the details of a given kubernetes rootca update.
diff --git a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py
index 422ecc1bff..664b5906a6 100644
--- a/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py
+++ b/sysinv/sysinv/sysinv/sysinv/api/controllers/v1/kube_rootca_update.py
@@ -387,8 +387,9 @@ class KubeRootCACetCertIDController(rest.RestController):
                 context=pecan.request.context)
             return dict(cert_id=rootca_cert, error="")
         except Exception as e:
-            msg = ("Failed to get the current kubernetes root CA certificate ID "
-                   f"by error: {e.message}.")
+            msg = ("Failed to find the current Kubernetes root CA certificate "
+                   "from file system")
+            LOG.exception(e)
             return dict(cert_id="", error=msg)
 
 
diff --git a/sysinv/sysinv/sysinv/sysinv/common/utils.py b/sysinv/sysinv/sysinv/sysinv/common/utils.py
index 061d37a19d..37316fb77c 100644
--- a/sysinv/sysinv/sysinv/sysinv/common/utils.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/utils.py
@@ -2747,8 +2747,8 @@ def get_cert_issuer_string_hash(cert):
         hashed_attributes = \
             hashlib.md5(issuer_attributes.encode()).hexdigest()[:16]
 
-        LOG.info("hashed issuer attributes %s from certificate "
-                % hashed_attributes)
+        LOG.debug("hashed issuer attributes %s from certificate "
+                 % hashed_attributes)
     except Exception:
         LOG.exception()
         raise exception.SysinvException(_(
@@ -2886,7 +2886,6 @@ def build_cert_identifier(cert):
     hash_subject = get_cert_issuer_string_hash(cert)
     serial_number = get_cert_serial(cert)
     cert_id = '%s-%s' % (hash_subject, serial_number)
-    LOG.info("%s is the identifier for the new root CA certificate" % cert_id)
     return cert_id
 
 
diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
index ec815d86f1..7344eae7f8 100644
--- a/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/manager.py
@@ -17086,6 +17086,8 @@ class ConductorManager(service.PeriodicService):
             LOG.error(msg)
             return dict(success="", error=msg)
 
+        LOG.info(f"{new_cert_id} is the identifier for the new root CA "
+                 "certificate")
         return dict(success=new_cert_id, error="")
 
     def save_kubernetes_rootca_cert(self, context, ca_file):
@@ -17303,15 +17305,17 @@ class ConductorManager(service.PeriodicService):
 
         # extract information regarding the new rootca
         try:
-            new_cert = cutils.build_cert_identifier(certs[0])
+            new_cert_id = cutils.build_cert_identifier(certs[0])
         except Exception:
             msg = "Failed to extract issuer and serial number from new root CA"
             LOG.error(msg)
             return dict(success="", error=msg)
 
+        LOG.info(f"{new_cert_id} is the identifier for the new root CA "
+                 "certificate")
         # update db
         update_obj = {'state': kubernetes.KUBE_ROOTCA_UPDATE_CERT_GENERATED,
-                      'to_rootca_cert': new_cert}
+                      'to_rootca_cert': new_cert_id}
 
         r = self.dbapi.kube_rootca_update_update(update.id, update_obj)
         return dict(success=r.to_rootca_cert, error="")