Avoid self-signed cert creation for HTTPS

REST API & Web Server TLS certificate (system-restapi-gui-certificate)
is now being installed at bootstrap in fs to be used for HTTPS.

This guarantees that the server-cert.pem is already present upon the
first unlock of the system, removing the need to create a self-signed
cert.

The self-signed cert will only be created if the
system-restapi-gui-certificate does not exist (test scenarios), to
avoid hard failures when switching to HTTPS.

Test plan:
PASS: Deploy an AIO-SX. Verify:
      - system-restapi-gui-certificate TLS cert is correctly installed
        in /etc/ssl/private/server-cert.pem before unlocking the
        controller.
      - HTTPS is enabled and openstack public endpoints change into it
        after unlocking the controller.
      - The target certificates are issued by 'system-local-ca', and
        are managed by cert-manager.
      - The certificates in /etc/ssl/private are correct.
      - It's possible to log into the local Docker Registry.
      - Horizon is working as expected.

PASS: Deploy an AIO-DX. After unlocking controller-1, SSH to it and
      verify that the Rest API / GUI certificate created during
      bootstrap is installed as the file
      '/etc/ssl/private/server-cert.pem'.

Story: 2009811
Task: 48976

Depends-on: https://review.opendev.org/c/starlingx/ansible-playbooks/+/902088

Change-Id: If9aa644898b179fbae2b5248c84c764199bb9b7c
Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>

sysinv/sysinv/sysinv/sysinv/common/constants.py

@@ -2319,6 +2319,10 @@ CERT_MODE_TO_SECRET_NAME = {
     CERT_MODE_OPENLDAP: OPENLDAP_CERT_SECRET_NAME
 }
 
+# Create RestAPI/GUI and Docker Registry certificates from bootstrap
+CREATE_PLATFORM_CERTIFICATES_IN_BOOTSTRAP = os.path.join(tsc.CONFIG_PATH,
+                                                         ".create_platform_certificates")
+
 # Storage associated networks
 SB_SUPPORTED_NETWORKS = {
     SB_TYPE_CEPH: [NETWORK_TYPE_MGMT, NETWORK_TYPE_CLUSTER_HOST]

sysinv/sysinv/sysinv/sysinv/common/utils.py

@@ -2386,6 +2386,12 @@ def is_fqdn_ready_to_use():
     return False
 
 
+def is_platform_certificates_creation_enabled():
+    """Check if RestAPI/GUI and Docker Registry are to be created by bootstrap
+    """
+    return os.path.isfile(constants.CREATE_PLATFORM_CERTIFICATES_IN_BOOTSTRAP)
+
+
 def is_std_system(dbapi):
     system = dbapi.isystem_get_one()
     return system.system_type == constants.TIS_STD_BUILD

sysinv/sysinv/sysinv/sysinv/conductor/manager.py

@@ -8728,15 +8728,16 @@ class ConductorManager(service.PeriodicService):
         :param context: an admin context.
         """
         personalities = [constants.CONTROLLER]
-        system = self.dbapi.isystem_get_one()
 
-        if system.capabilities.get('https_enabled', False):
-            certificates = self.dbapi.certificate_get_list()
-            for certificate in certificates:
-                if certificate.certtype == constants.CERT_MODE_SSL:
-                    break
-            else:
-                self._config_selfsigned_certificate(context)
+        if not cutils.is_platform_certificates_creation_enabled():
+            system = self.dbapi.isystem_get_one()
+            if system.capabilities.get('https_enabled', False):
+                certificates = self.dbapi.certificate_get_list()
+                for certificate in certificates:
+                    if certificate.certtype == constants.CERT_MODE_SSL:
+                        break
+                else:
+                    self._config_selfsigned_certificate(context)
 
         config_dict = {
             "personalities": personalities,